Pursuing the Right Certifications
Sometimes organizations know the exact compliance framework needed because their customers are asking about it. However, additional compliance frameworks may be relevant, overlap or open-up new sales opportunities.
Our team can meet with you to discuss your business goals and general security capabilities to evaluate which framework or frameworks you may want to pursue.
Federal Risk and Authorization Management Program
Run by the General Services Administration, FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP authorization is required for U.S. Government vendors that offer cloud services, including SaaS solutions. If your business contracts with the government or if you do business with a government contractor, this may apply.
General Data Protection Regulation
The GDPR is a regulation in European Union (EU) law that requires businesses to protect personal data of EU citizens for transactions that occur within one of the 27 EU member states. Companies in any geographical location that store or process personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
Health Insurance Portability and Accountability Act
HIPAA is a U.S. law that outlines protection and security standards for health care data. HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. HITRUST is the organization that helps companies comply with HIPPA.
International Organization for Standardization / International Electrotechnical Commission
ISO/IEC 27001 is a set of information security standards that helps organizations manage the security of customer/employee data, financial information, intellectual property and third party data. It is not required, but it provides baseline security controls and management. Organizations are certified by an accredited certification body following successful completion of an audit. A widely adopted global standard, a certification conveys credibility and trust to vendors, customers and other stakeholders.
National Institute of Standards and Technology Special Publication 800-171
NIST 800-171 governs Controlled Unclassified Information (CUI) in non-federal information systems and organizations. It is a set of standards that define how to secure and distribute material deemed sensitive but not classified. The requirements apply to non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. Organizations that are government contractors or associates of these contractors will need to hold this certification.
Payment Card Industry – Data Security Standard
PCI-DSS is an information security standard for organizations that handle branded credit cards with the purpose of increasing controls around cardholder data and reducing fraud. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. Validation of compliance is performed annually or quarterly, either by an external Quality Security Assessor (QSA), Internal Security Assessor (ISA) or by a Self-Assessment Questionnaire (SAQ).
SSAE 18 SOC 2
Statement on Standards for Attestation Engagements System (SSAE) 18 and System and Organization Controls (SOC) 2
SSAE is an auditing standard for service organizations published by the American Institute of Certified Public Accountants (AICPA). System and Organization Controls (SOC) comprises three types of reports SOC 1, 2 and 3. SOC 2 uses WebTrust and SysTrust criteria to evaluate an organizations’ information systems related to security, availability, processing integrity, confidentiality, and privacy. This certification indicates that the service provider is meeting a minimum set of industry standards.