Virtual CISO Compliance Consulting, Ensuring Regulatory Alignment. When we’re talking about how a virtual CISO can help your company meet compliance and regulatory requirements, we have the scope of how a virtual CISO can do two things. Number one, interpret the regulatory compliance framework and help disseminate the roles and responsibilities to successfully respond to how those controls are being completed.
The second way a virtual CISO can help with compliance is taking on the role and the responsibility for those regulatory requirements related specifically to cybersecurity. When we look at the scope of what is regulatory compliance, what is compliance requirements, this is a very wide field. There are many compliance requirements.
There are many regulatory requirements. Let’s take a minute and look at three popular compliance frameworks.
1. SOC 2 Type II
The number one popular compliance framework that I see at Azure Security working with our clients is the SOC 2 Type 2. For a SOC 2 Type 2, they are broken down into five trust service criteria or TSCs for short.
These make up 64 individual requirements and a company can choose three trust criteria or all five trust service criteria. So that effectively means that you’re looking at responding between 60 controls and up to 100 controls. Of these trust service controls within a SOC 2 Type 2, in my experience, about 60 to 70 percent of these are going to require a cybersecurity role to address how you’re complying or meeting this requirement.
What does that mean for the other 30 to 40 percent of the controls? Well, that means other stakeholders in the business are going to have to take on the role of describing how this control is being met. In these areas, a virtual CISO can still help because a virtual CISO with experience within a SOC 2 can quickly identify the roles within a company that typically have the responsibility scope to address the required control descriptions. Oftentimes, a SOC 2 Type 2 will look at the integrity of the financial systems.
A virtual CISO can help identify who the CFO is or the accountants are. A cybersecurity virtual CISO can look at the permissions within the financial system, given it QuickBooks or SAP, can help perform an entitlement review and ensure that the right people have roles and responsibilities and access and authorization within the financial platforms. So again, with a SOC 2 Type 2, there are many controls.
And a virtual CISO can help with many of the controls relating to cybersecurity, but other roles will have to be pulled in. And this is typical of a lot of compliance and regulatory frameworks. Cybersecurity will often have a large scope and responsibility or investment into achieving the attestation certification or regulatory compliance, but almost always will there be other stakeholders within the business that are required to contribute.
2. CIS
Another popular framework specifically for cybersecurity is the CIS. The CIS stands for Center for Internet Security, and they have some really good cybersecurity frameworks. These are going to lean more on the technical spectrum of requirements if you’re looking to get some type of approval or attestation that you meet these requirements.
CIS going to be 90 to 99% all cybersecurity, and a virtual CISO can either take on the control attestations or at least manage within the technical and cybersecurity responsibilities the full scope of the CIS.
3. NIST
Another one, another framework that is on the technical side is the NIST requirements or the NIST frameworks. Today, we’re just going to talk about the NIST 800-171 instead of talking about the NIST cybersecurity framework version one or version two.
NIST 800-171, again, this is very heavy on the technical control side. This framework would require an outside auditor to come in and review your program and give you some type of score or confidence on how you’re achieving the NIST 800-171. Most of these controls fall within the scope of cybersecurity, and you’re looking at about 120 controls.
120 controls can make it sound like it’s not much work, but trust me, it is a lot of work, and depending on the scope of the system that you’re deciding comes under or is attempting to get approved for NIST 800-171, the work can exponentially increase. So those are the three popular regulatory and compliance requirements, SOC 2, Type 2, the CIS, and the NIST 800-171.
Privacy Compliance
On the other end of the spectrum of regulatory requirements and compliance standards, we start to slide more into privacy requirements.
HIPAA
Within privacy, the big one that comes to mind is HIPAA. HIPAA is the Health Insurance Portability and Accountability Act, and a lot like when we talked about a SOC 2 having pillars, HIPAA also has some primary areas, and those are the privacy rules, the security rule, and the breach notification rule. And obviously, as I said before, within this framework, there are requirements that are specific to cybersecurity.
We’re going to really look at the confidentiality, the integrity, and the availability of a lot of the systems that support health information, also known as ePHI. But on the other part of the regulatory requirement is these privacy rules. And with frameworks that require privacy, the stakeholder investment becomes larger outside cybersecurity.
On smaller companies, we usually see this being shared with some type of legal entity or a legal role that’s trying to take on privacy rules and interpret some of these frameworks. And in a more mature or invested in organization, we actually see the role of a privacy officer working side-by-side or in conjunction with legal. A privacy officer has a large investment in the HIPAA regulatory and compliance rules.
GDPR
Let’s look at another regulatory compliance standard that a virtual CISO can help with, and that’s the GDPR. With the GDPR, it leans heavily on the privacy and response revolving around privacy records. So GDPR stands for General Data Protection Regulation.
It is a European Union law that really has the goal of protecting people’s privacy. With the GDPR regulatory rules, there is a specific scope of checklists for U.S. companies. This process of achieving GDPR compliance really starts around auditing your systems and identifying personal data for European citizens.
And then you go on to informing those people on why and how you’re processing and collecting their data. And ultimately, you have to decide whether you appoint a stakeholder to help with these privacy regulations, compliance standards, and the response. Which ultimately brings me to the next point is that cybersecurity begins to get involved in the investment in the GDPR compliance because you have to know and be prepared on what to do if there’s a data breach.
Your incident response handling plan, and even your tabletop exercises should be scoped around privacy data, around how you bring in privacy data into your systems, what other vendors have access to the privacy data, how you tackle incidents, how you contain them and remediate from them. And then finally in the response is how at what point do you notify people, organizations, and conduct proper privacy response exercises. So again, we began this with talking about regulatory and compliance standards and how a virtual CISO can help.
On one end of the spectrum, we see cybersecurity-heavy frameworks like the SOC2 Type 2, the CIS, and the NIST frameworks. And on the other end of the spectrum, we see frameworks and attestations that are heavier on privacy standards like HIPAA and GDPR. And in that case, you do want heavy involvement or investment from some type of legal or privacy officer within the role of the company.
Technology Platforms
I think another important component when thinking about compliance consulting and ensuring regulatory alignment is using a platform to monitor and track regulatory and compliance alignment. We want to use a platform because it standardizes the way that we address these requirements, assign responsibility, track governance, and upload and maintain evidence. It’s really important because if the roles within your company or the virtual CISO that you’re working with, or sometimes even the external readiness group that you’ve hired as consultants to help you achieve this compliance or regulatory standard, if those people change, your platform remains the same.
Your tracking can continue. Your evidence pool and repository remain the same. I highly encourage companies that are trying to achieve some level of compliance or regulatory requirement, use a platform to manage this and track it.
Let’s go back to how the virtual CISO can help. As we talked about before, on many of these frameworks, compliance standards, and regulatory requirements, there will always be a heavy scope on cybersecurity. Another way that a virtual CISO can help is leveraging the experience of other customers or clients that they’ve worked with that have already gone through this process.
Story
A quick story is we recently helped a company that was looking to engage in a SOC 2, and they were getting very large quotes, very large timeframes, and the people helping them were not providing clarity of what that roadmap looked like. We accepted the invitation to contribute to what we’ve seen previously, and through those discussions, we really educated the customer on what readiness groups, what platforms, and our experience on how much time it would take, the cost that they would incur, and what to expect from a process. And that was very beneficial for that client, and they were very excited coming out of that meeting, and they felt more equipped to make the decisions that they needed to make and provide expectations to their senior leadership in attempts to achieve some of these.
I think another way that a virtual CISO can help with compliance consulting and regulatory alignment is interpretation of these requirements. Just as some of the frameworks relied heavy on cyber and others relied heavy on privacy, some of these frameworks are very specific in their control criteria, and other frameworks are very vague. So having experience from someone like a virtual CISO on how to interpret the requirement so it can be appropriately applied with confidence is very beneficial to a customer.
So those are three ways that a CISO can help with compliance consulting and ensuring regulatory alignment. Having the right cybersecurity resource when you have an initiative to achieve a regulatory or compliance requirement can be exponentially powerful. It can greatly reduce the stress on the business and the stakeholders of understanding the requirements.
It can speed up the process of interpreting what those controls mean. It can speed up the process of assigning the right person in the company to respond, write a description, and provide the evidence for those controls. They can help manage and administrate the platform.
They can implement governance tasks that are required for almost all of the frameworks that we talked about today. And that essentially means how do you regularly go in and verify that what you said you’re doing is being done. Because these frameworks usually are not a one-time deal.
They really want to ensure that you didn’t just do it right one day. That it’s consistently being done accurately. And these governance tasks really are the process in which you can ensure that it’s continually being done.
A virtual CISO can help achieve regulatory and compliance requirements for you. And I hope this article has been helpful. If you have any questions, please leave them down below and we’ll try to respond.
And I just wish you luck and success in attempting to achieve the many frameworks, compliance requirements, and regulatory requirements.
Recent Comments