IT Security is the practice of implementing effective technical controls to protect an organization’s IT assets and Compliance is the application of that practice to meet a third party’s regulatory or contractual requirements. More specifically, Security is a clear set of technical systems and tools and processes which are put in place to protect IT assets whereas Compliance studies a company’s security processes and documents their security at a single moment in time and compares it to a specific set of regulatory requirements

Compliance frameworks follow and enforce different standards and regulations based on type of industry, geographical location, legislative requirements etc. HIPAA, SOC2, GDPR, ISO 27001, PCI-DSS are a few common compliance frameworks currently in use across the industry.

It is important to note that Security & Compliance are not limited to large or enterprise organizations. Given the recent increase in cyber incidents, achieving SOC2 or HIPAA compliance certification has become more prevalent among startups and smaller tier companies as well. In fact, it is very common for enterprises to expect such compliance certification from its suppliers and vendors.

Introduction

SOC2 is a security framework which defines criteria for organization or companies managing sensitive customer data.

  • Controls under SOC2 are defined based on the five trust principles of - Security, Availability, Processing Integrity, Confidentiality and Privacy.
  • Each organization has to make a determination on the principles to focus on for compliance certification based on its customers’ requirements, type of industry etc. Typically, most smaller companies almost always start with the Security trust principle.
  • SOC2 reports are unique to each organization and it depends on how organizations manage data.

HIPAA stands for Health Insurance Portability and Accountability Act (HIPAA) passed by the US Congress in 1996.

  • HIPAA’s major objective is to keep patients’ protected health information (PHI) safe and secure, whether it exists in a physical or electronic form.
  • Controls are categorized under Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, Process and Procedures, and Notifications in case of a breach.
  • Healthcare providers, Healthcare insurance companies, companies handling medicare information etc. require HIPAA compliance certifications.

Why should Startups/Smaller Companies focus on SOC2 or HIPAA compliance?

Achieving SOC2 or HIPAA certifications shows a company’s commitment towards keeping its security posture in order. The compliance certification also helps gain credibility with current and potential clients.

  • SOC2 compliance validates a company’s capability in handling customer sensitive data in a secure manner.
  • HIPAA compliance certifies a company’s ability to securely manage Protected/Personal Health Information (PHI) data. This also ensures coverage of legal aspects associated with the Health Insurance Portability and Accountability Act of 1996.

Obtaining either SOC2 or HIPAA compliance boosts and builds customer confidence and trust in services companies. In a lot of cases, only companies with compliance certification are allowed to compete for services contracts. As a result, obtaining and maintaining such certification provides more of a competitive advantage for a services company.

Being a SOC2 Type 2 compliant company, KansoCloud has been assisting multiple customers by providing Compliance Manager services to customers trying to achieve SOC2 and/or HIPAA compliance.

How can Startups/Smaller Companies achieve SOC2 or HIPAA Compliance?

By nature, startups and smaller companies have limited resources at their disposal and tend to be a lot more focused on innovation and business development. Security and Compliance almost always becomes an afterthought. KansoCloud assists such organizations to achieve compliance certification in an efficient and cost effective manner. Discussed below is a brief process on how to go about achieving SOC2 and/or HIPAA certification.

SOC2 and HIPAA have a lot of common, overlapping controls which make it easier for the companies trying to achieve both certifications.

  • People - captures all the security aspects from an organizations’ employee perspective. Employees or Contractors who have access should undergo security awareness training regularly, accept all company policies, agree to background checks and should have secured individual access to data using encrypted/protected physical devices.
  • Policies - defines a set of policies and procedures protecting the security of the organization and its data. In addition to security related policies, it also requires policies related to HR, access management and operational activities undertaken by the organization.
  • Engineering - supports technical aspects of the organization’s work. One of the subsections is Infrastructure which includes inventory, architecture, ownership of resources used by the organization. Data storage is another subsection which captures encryption and backups associated with user data being stored and transmitted through systems. Monitoring alerts with associated actions along with software development life cycle are also covered under this section.
  • Vendor Management - defines the controls and standards used in the organization’s business agreements with vendors and supplies to ensure they also are in compliance with the same controls and standards.
  • Risk Assessment - every organization is expected to perform a risk analysis associated with its physical security, sensitive data, codebase, PHI information managed etc. to come up with a comprehensive risk assessment.

What can Startups/Smaller Companies do to achieve Compliance?

Based on the KansoCloud team’s prior experience taking organizations through such compliance certifications, here are our recommended next steps for organizations trying to achieve compliance.

  1. Subscribe to a SaaS Automation Platform which continuously monitors and collects evidence on a regular basis. Going in for compliance certification without an automation platform will require a lot of manual work related to gathering and managing evidence. Approximately half of the requirements around defined controls are handled by these automated platforms and they can also integrate with multiple standard HR and directory systems to automatically pull down relevant data and identify gaps from the outset.
  2. Engage an Auditor early on in the process so that they can assist in defining the audit scope as well ensures the team is focused on the right controls and process required to support an actual audit. Frequent checkpoint meetings with the auditor also help fill in gaps which may not be typically detected automatically by SaaS platforms.
  3. Assign a Compliance Manager who will be a key point of contact for all activities related to this exercise and can act as a facilitator between different stakeholders. The compliance manager will have to work closely across different departments to configure and integrate multiple company systems with SaaS automation platforms. Once integration is completed, the compliance manager can then work on remediating any gaps identified by the automated platform and the auditors.
  4. Meet frequently with the Auditor so as and when gaps are mitigated, they can be validated by the Auditor right away and provide any additional feedback. Once the Auditor is in agreement that all gaps have been addressed, work with them to start the observation window defined for either HIPAA or SOC2 certification. Observation windows can go from three to six months depending on a few factors.
  5. On successful completion of the observation window and resolution of any identified gaps, the Auditor can issue the appropriate compliance certification.

An organization can choose between two types of certification, Type I or Type II. Type I describes whether the organization’s systems and design are suitable to meet relevant controls as of a specified date or point in time. Type II details the operational effectiveness of those systems and processes through a specified period of time (observation window). If possible, It is our recommendation for organizations to aim for Type II certification.

Conclusion

Achieving SOC2 and/or HIPAA compliance certification for a startup or a smaller organization is a good way to kick off its growth journey. Compliance certification is usually easier to achieve with a smaller footprint and an organization can maintain the same posture with minimal additional effort as new customers and processes are onboarded with additional growth. Achieving compliance certification should never be a “one-time” target, planning to maintain it throughout the growth journey of an organization is the better way to go since compliance certification almost always requires a yearly evaluation and audit. KansoCloud compliance managers come in with practical experience assisting similar customer organizations to implement security and compliance processes to pave the way for a successful compliance certification and future maintenance.