The Havoc Shield Blog
Every small business is unique, and should consult a qualified attorney for advice on the FTC Safeguards Rule. But, as cybersecurity professionals we believe you should have access to a way to jumpstart your effort, while you work with counsel on any unique particulars related to your situation. So, today we’re offering extremely actionable steps that would be a great step towards some of your FTC Safeguards Rule obligations. Let’s cut straight to the chase:
We’ve talked frequently about what to expect on enterprise security questionnaires. When founders know what to anticipate on those types of questionnaires, they get a head start on preparing proactively. That preparation can make all the difference when it comes to persuading a large enterprise that a startup is mature enough to be relied upon for business critical operations.
But, a sticking point in those conversations between founders and enterprise compliance teams can be… well… compliance. Some compliance obligations are not ones that can be satisfied overnight; some take weeks or months (and occasionally years) to get right.
So, founders are especially wise to try to anticipate what compliance questions they might face in enterprise security questionnaires. With that information in hand, founders are equipped to go on the dual track that we most frequently recommend: preparing compensating controls until compliance can be fully achieved, while also beginning to pursue formal compliance (even if that takes awhile). We see this very frequently with SOC 2: we often find that our clients are able to satisfy an IT compliance team by demonstrating sophistication on the types of controls that are often relevant to SOC 2, even if they don’t yet officially have a clean SOC 2 report supplied by an auditor. When they do finally obtain the report, it further cements their credibility with the enterprise they are doing business with.
When a founder-led business gets their first Vendor Security Assessment, it’s a bittersweet moment. On the positive side, it usually means that the startup is being taken seriously by an enterprise — often a prospective customer. On the negative side, a tough vendor security assessment often puts a startup on its heels as far as figuring out a way to acceptably answer the difficult questions therein.
One topic that comes up frequently, is testing. Enterprises know that early-stage companies are often highly resource-constrained, and it begs the question of whether the product/solution has been tested in a way that gives confidence that the startup can deliver way they say they’ll deliver. From the enterprise’s perspective, probing on testing practices is just a “common sense” way to get a sense for the maturity of the small business that they are considering working with.
But, what types of tests are startups being asked about, in a typical Vendor Security Assessment? We set out to answer precisely that question, by analyzing our internal archive of vendor security assessments, and here’s what we found.
Vendor Security Assessments are slooooow to change. If there is one part of a large enterprise that has a thankless job, it’s the IT compliance team that is charged with creating, revising, and reviewing vendor security assessment processes and forms. Make it too difficult, and business sponsors (buyers) across the company get upset that it takes too long to onboard their favorite new vendor. Make it too easy, and the enterprise takes on headline-grabbing cybersecurity risk that has wide-reaching regulatory and reputational impact.
So, in the face of these opposing pressures, what happens to an enterprise’s vendor security assessment forms / questionnaires over time? In our observation, almost nothing. You heard that correctly: the vendor security assessments that a particular enterprise had in place 12 months ago, are almost certainly what they have in place currently.
If you are considering a SOC 2 Readiness Assessment, now is the time to think critically about what you want out of that process. Most companies pursuing a SOC 2 Readiness Assessment see it as their smooth on-ramp into a full SOC 2 examination. And, they see it as a way to preemptively identify and resolve any major gaps in their security program.
In almost any imaginable case, that approach is dramatically better than getting knee-deep into an audit and discovering that you have a huge pile of urgent remediations that you need to take care of in order to obtain a clean SOC 2 report (an “unmodified opinion”). If you find yourself discovering major SOC 2 shortcomings during an audit, something went very wrong during your readiness effort.
So, SOC 2 Readiness Assessments are a good thing, right? Yes. But only if you pick one that is rooted in TSP Section 100.
Before we get into the interplay between vendor risk assessment and security awareness training, let’s get one thing out of the way right here at the top. There are bona fide, important, practical reasons why you absolutely should be doing security awareness training for your team regardless of whether a vendor risk assessment ever asks you to do so. It’s a smart move either way.
However, as a company that specializes in working with founding teams, we know that sometimes an early-stage venture hits a growth stride so quickly that the forcing function (a vendor risk assessment) arrives faster than the intuitive thought of “we should probably be doing some security awareness training” — and we certainly empathize with founders in that situation.
SOC 2 Readiness Assessment has become a buzzword amongst the community of founding teams that are starting companies that sell their services to big businesses. And why shouldn’t it be? Most startups with that particular go-to-market strategy will almost certainly need to successfully complete a SOC 2 examination to satisfy enterprise requirements at some point now or in the future. So, “readiness” is a natural first step.
Today we’ll zoom in on a particularly misunderstood topic — one that is even misunderstood by many of the SOC 2 Readiness Assessment providers. If it’s misunderstood by some of the companies that are conducting SOC 2 Readiness Assessments, we’ll bet it’s also misunderstood by the founder-led teams that they serve.
Today’s misunderstood topic is the interplay between service organization commitments and contractors.
When founding teams find a way to survive their first vendor risk assessment — usually on the tail end of making their first enterprise sale — it’s a moment that calls for celebration. At Havoc Shield, one of the absolute best moments for us is when a client calls us back and says “with your help, we made it through that security questionnaire” — it’s a celebration on our end too! But, is the end of a vendor risk assessment the final chapter in the vetting that the startup will face from their new enterprise customer? In a word, no. We’ll explore below.
recently dug through 100+ vendor risk assessment templates and released some of our initial findings. We’re motivated to understand the prevailing norms in these types of assessments/questionnaires because our clients tend to find themselves on the receiving end of these types of documents on a frequent basis. When we can do a great job of helping our clients predict what security questions are likely to arise, it helps our clients prioritize what security controls to push closer to the top of the prioritization stack. One of the topics that is almost always covered in vendor risk assessment is the matter of infosec policies and infosec plans. 88% of the vendor risk assessments in our analysis contained questions about plans and policies.
Every day we talk with startup founders about small business cybersecurity. Although we’d love to speak with founders that spontaneously decided to “do more” about cybersecurity, our conversations usually start very differently than that.
Most often, there is a very specific and urgent cybersecurity-related need at hand. And an urgent call to our team for help thinking it through. We’re happy to help — not a problem! However, for the benefit of founders that haven’t yet hit one of those moments, here’s what folks a few steps ahead of you are running into. We’re glad to help with these more proactively if you’d like, to save a hectic scramble later.
Companies seeking to obtain a SOC 2 report are often in a hurry. So, what’s wrong with searching for a SOC 2 Compliance Checklist? Maybe this whole SOC 2 examination thing can be a quick, simple matter of working through a checklist and obtaining a report? Not quite.
Although we specialize in helping companies prepare for SOC 2 examinations — and we’ve gone to great lengths to ensure that we are attuned to the most common security controls that SOC 2 auditors tend to evaluate — auditors are required (for good reason) to maintain independence. That means that no provider (not Havoc Shield or anyone else) can supply the perfect checklist of items that is sure to lead to a clean SOC 2 report (an “unmodified opinion”).
If you’ve begun to explore the possibility of obtaining a SOC 2 report, you may have heard that a SOC 2 Readiness Assessment is a good place to being the journey. That’s reasonable advice. Just as you wouldn’t invite a financial auditor to review your financials without taking preliminary steps to ensure that your financial statements are in order, you wouldn’t pursue a SOC 2 examination if you didn’t have reason to believe that you had the necessary security practices in place to perform well under professional scrutiny. For that reason, the following sequence has become popularized:
If you are subject to the FTC Safeguards Rule (link), it can be hard to know where to start with your compliance effort. An important first piece of information that you should keep in mind is that the proposed changes to the FTC Safeguards Rule have not yet been...
No one wants a SOC 2 examination to go poorly. For most organizations, getting to a SOC 2 report that reflects favorably on the company’s security practices is essential. Often there are customers or partners pressing for evidence of a SOC 2 report. When that’s the case, the process of engaging an auditor to conduct an examination is one that can cause some anxiety. The concept of a SOC 2 Readiness Assessment has become popular as one of the ways to reduce the odds of unexpected surprises during the examination.
One of the central topics in a SOC 2 Readiness Assessment is the concept of “commitments to customers” — specifically, determining precisely what commitments an organization has made to their customers. Was there a 99% uptime commitment, or was it 99.5%? Was the commitment made uniformly to all customers, or are there some marquee customers that were promised 99.9%? This is an example of one type of commitment that might come up during a SOC 2 Readiness Assessment.
For organizations that have never previously been through a SOC 2 examination, it may take substantial effort to gather the documents needed to fully understand what commitments have (and haven’t) been made to customers. That’s the purpose of this post: to suggest some of the items to gather to be prepared to substantiate what commitments to customers exist. Here’s our take:
Maintaining small business cybersecurity while allowing BYOL (bring your own laptop) is one of the hottest topics amongst companies that seek out our help. Although there is no one-size-fits-all solution, it helps to have a contextual sense for the continuum of high risk to low risk decisions that a company can make while navigating this complex topic. Here’s our shot at very simply summarizing some of the key stopovers on that continuum that we’ve seen companies land at.
SOC 2 involves internal procedures for the company’s employees and doesn’t involve any board of directors involvement, right? Wrong. In this post, we’ll offer some insights into the ways in which a company’s board of directors should expect to be involved in the company’s SOC 2 efforts.
We’ve seen many attempts at a SOC 2 compliance checklist over the past few years as more and more companies have become interested in obtaining a SOC 2 audit report. Unfortunately, there are fundamental flaws that we routinely see in these types of checklists. Today we’ll dive into the the flaws to watch out for — ones that could lead to extreme frustration if you were to complete a SOC 2 compliance checklist and later discover (with an auditor present) that you are far from read for a SOC 2 audit. Here’s the scoop.
Is your organization required to comply with HIPAA privacy standards? If so, you’ve probably heard the term PHI – which is short for Protected Health Information. In the past we’ve written about how Protected Health Information must be rendered “Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” — and that leads HIPAA covered entities and business associates to be especially careful about encryption at rest, encryption in-transit, and authentication.
However, today we’d like to take a step beyond that, to a day that no one enjoys but everyone experiences at some point. What happens when a hard drive containing Protected Health Information fails? The problem that most organizations face on that day, is the uncertainty about how to dispose of this type of storage device if they don’t have the luxury of being able to use software-based utilities for clearing it’s contents.
Would you rather talk about movies, photographs, or SOC 2 Type 1 vs Type 2? If your answer was “all of the above” then you’ve come to the right place.
Amongst companies evaluating the possibility of obtaining a SOC 2 report, there’s been some confusion about the difference between SOC 2 Type 1 vs Type 2. Lets see if we can clear that up; here’s what the AICPA says about it.
Apple just released iOS 14.4, with absolutely essential security updates. Although we rarely use this blog as a method of announcing patches and releases from specific vendors, the iOS security vulnerabilities in Apple’s recent release are so essential that we’ll break with tradition. We’ll break down the three key points in Apple’s release notes for you below.