Securisea Resources

At Securisea we are often asked to combine the work of two or more of the many audits we are licensed to perform in order to reduce, if not eliminate, repeat work of preparing for and completing audit evidence collection. While we are highly effective at multitasking across a range of assurance engagements, one of the most direct ways of achieving this is the SOC2+ audit, which allows us to issue under our CPA license a combined audit or SOC 2 as well as any additional engagement type. The most common case of this by far is the SOC2+HIPAA engagement.

SOC 2 and HIPAA are two critical regulatory frameworks that provide detailed guidelines for securing and protecting customer and patient data. Compliance with both SOC 2 and HIPAA not only shields organizations from potential data breaches, but also demonstrates a strong commitment to information security and privacy, fostering trust.

Understanding SOC 2

SOC 2, which stands for Service Organization Control 2, outlines standards for companies to securely manage customer data. Created by the American Institute of CPAs (AICPA), SOC 2 is crucial for organizations providing SaaS (Software as a Service) and cloud services.

The framework is built around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

• Security ensures data protection against unauthorized access.
• Availability ensures that systems are operational and accessible when needed.
• Processing Integrity ensures data processing is complete, accurate, and authorized.
• Confidentiality protects sensitive information.
• Privacy governs the collection, use, retention, and disposal of personal information according to an organization’s privacy policy and applicable laws.

SOC 2 has two types of audit reports:

• Type I assesses the design of internal controls at a specific point in time.
• Type II evaluates both the design and operational effectiveness of controls over a period.

Understanding HIPAA

HIPAA, or the Health Insurance Portability and Accountability Act, is a US federal law that sets standards for protecting sensitive patient data. Enacted in 1996, its main goal is to protect the confidentiality and integrity of patient health information, also known as PHI (Protected Health Information).

HIPAA consists of several rules:

• The Privacy Rule sets standards for using and disclosing PHI.
• The Security Rule addresses electronic PHI (ePHI) and requires administrative, physical, and technical safeguards to ensure its security.
• The Breach Notification Rule mandates reporting of any data breaches involving PHI.

Compliance with HIPAA is mandatory for covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates.

Benefits of SOC 2 + HIPAA Compliance

Achieving compliance with both SOC 2 and HIPAA offers numerous benefits for healthcare organizations handling sensitive patient data.

1. Enhanced Security Controls: Adhering to both regulations ensures robust security measures, reducing the risk of data breaches and associated financial and reputational damage.
2. Customer Trust: Compliance demonstrates a commitment to protecting customer data, enhancing trust with current customers and attracting new ones.
3. Complementary Frameworks: SOC 2’s Trust Services Criteria align with HIPAA’s Security Rule, making compliance efforts more efficient and effective.

Securisea Simplifies SOC 2 + HIPAA Compliance

The complementary nature of SOC 2 and HIPAA allows for a unified approach to compliance, benefiting organizations in the healthcare sector or those working with healthcare data.

Securisea’s integrated approach to security and compliance translates into real savings of both time and money for our clients, helping them reach their goal of achieving and maintaining SOC 2 and HIPAA compliance more quickly. 

As a trusted advisor, Securisea will work alongside you to understand your business, and help you meet your security and compliance objectives. 

FAQs

Does SOC 2 cover HIPAA compliance?

While SOC 2 does not specifically cover HIPAA, a SOC 2 report can include controls relevant to HIPAA, particularly in security and privacy areas. SOC 2 compliance can complement HIPAA efforts by ensuring robust security practices, but it does not replace a comprehensive HIPAA compliance assessment.

How does SOC 2 map to HIPAA?

SOC 2’s security and privacy principles align with HIPAA’s Security and Privacy Rules. For example:

• SOC 2’s Security Principle aligns with HIPAA’s administrative, physical, and technical safeguards for ePHI.
• SOC 2’s Privacy Principle can be adapted to meet HIPAA’s standards for PHI use, disclosure, and protection.

What is the difference between HITRUST and SOC 2?

HITRUST is designed for the healthcare industry, providing a framework for HIPAA compliance, while SOC 2 applies to any service provider managing customer data. HITRUST certification demonstrates compliance with healthcare-specific requirements, whereas SOC 2 ensures adherence to general data management standards.

By understanding and implementing both SOC 2 and HIPAA frameworks, organizations can significantly enhance their data security and privacy measures, ensuring comprehensive protection for sensitive information.

SimpliGov selected Securisea as their comprehensive audit partner in 2023. According to CEO David O’Connell, “We started our search looking for auditors on the FedRamp Marketplace. Securisea stood out to us as an auditor that was just the right size - they had demonstrated experience, and had been recognized since 2020; but appeared to be an agile organization  where we would get a level of responsiveness that we were looking for. 

SimpliGov first tasked Securisea with their PCI and HIPAA audits in early 2023. According to O’Connell, “the process was great, there were absolutely no issues whatsoever”. The Securisea team delivered an exceptional customer experience and SimpliGov specifically noted the speedy turnaround, frictionless communications, and general openness and candor they experienced in working with Securisea. 

Securisea is now helping SimpliGov with a FedRAMP Readiness Assessment. As one of only 43 FedRAMP approved 3PAOs, Securisea has the ability to leverage existing controls from other audits for greater efficiencies through the FedRAMP process.

‍

‍

While the FedRAMP process can proportionately require more company resources for a small business, there are also advantages. With a smaller team where team members wear multiple hats, in many cases the FedRAMP accreditation process can happen faster than it does for a large corporation burdened with more layers of bureaucracy and silos.

Securisea works with businesses of all sizes, but we offer some strategic advantages when it comes to FedRAMP for small businesses and startups. We are an agile, nimble organization ready to meet you where you are, helping you create a path to FedRAMP ATO tailored specifically to your organization and your cloud-based offering. 

Securisea’s Offerings for Achieving FedRAMP ATO as a FedRamp-Authorized 3PAO

1. FedRAMP Advisory & Consulting. Our team provides guidance on business strategy and methodologies, system design, remediation efforts, and documentation of the environment and security control implementations. Additionally, Securisea is capable of developing a system security plan (SSP), crafting policies and procedures, and creating other essential system documentation.
2. FedRAMP Readiness Assessment. Your 3PAO performs the necessary readiness capabilities assessment to evaluate your cloud's preparedness for the complete FedRAMP assessment. 
3. Pre-Assessment. Securisea conducts a brief "gap" analysis or review of your existing cloud system documentation. The result is a high-level roadmap outlining the next steps along with the estimated levels of effort required for completion.
4. Assessment. Your 3PAO prepares the necessary FedRAMP documentation, which includes:some text
   1. A Security Assessment Plan (SAP) that utilizes the SSP and inventory gathered in the third step.
   2. A Security Requirements Traceability Matrix (SRTM) to record assessment results.
   3. Vulnerability scans of operating systems, databases, and web applications.
   4. A Penetration Test Report.
   5. A Security Assessment Report (SAR).
   6. A recommendation for authorization.
5. Continuous Monitoring. Monthly, quarterly, and annual continuous monitoring is required to achieve and maintain the ATO.

For small businesses, achieving FedRAMP certification opens up a vast opportunity to enter and compete in the federal marketplace, unlocking new revenue streams and establishing long-term partnerships with federal agencies. The certification not only signifies a commitment to stringent security standards but also provides a competitive edge, positioning small businesses for growth and success in the lucrative federal sector.

‍

The Federal Risk and Authorization Management Program (FedRAMP) has updated its baselines to Revision 5 (Rev. 5), aligning with NIST SP 800-53 Rev. 5. This update introduces new controls, especially in Supply Chain Risk Management and privacy, heightening the alignment between FedRAMP and NIST standards.

Key Updates

Privacy Enhancements: There are updated privacy requirements across multiple control families, such as role-based privacy training (AT-3), privacy impact analysis for configuration changes (CM-3 and CM-4), and system backup requirements for privacy-related documentation (CP-9). Systems processing Personally Identifiable Information (PII) now need to provide results of privacy risk assessments 

New Control Families: A notable addition is the Supply Chain Risk Management (SR) control family, which addresses risks related to third-party services, products, and supply chains comprehensively. There are also new controls like annual training on social engineering and social mining (AT-2(3)) and public disclosure programs for vulnerabilities (RA-5(11))​ 

Red Team Exercises: For Moderate and High systems, an annual Red Team exercise is now required in addition to traditional penetration testing. This aims to provide a more in-depth cybersecurity assessment​.

Password Requirements: Rev. 5 updates password requirements by eliminating specific elements related to password changes, such as minimum age and reuse restrictions. It mandates maintaining lists of common or compromised passwords and implementing password strength meters​.

Encryption and Configuration Settings: New mandates require the encryption of all data-at-rest and data-in-transit using FIPS-validated or NSA-approved cryptography (SC-8, SC-13, SC-28). Configuration settings now require adherence to DoD Security Technical Implementation Guides (STIGs), or CIS Level 2 benchmarks if no STIG exists​.

Continuous Monitoring: Enhanced continuous monitoring requirements include joint monthly meetings for CSOs authorized via the Agency path with more than one agency ATO​.

Transition Guidance: The transition plan for Cloud Service Providers (CSPs) depends on their current phase. For those in the planning phase, it involves implementing and testing the Rev. 5 baseline and using updated templates. CSPs already in the initiation or continuous monitoring phases need to identify and address the differences between their current implementation and Rev. 5 requirements​

Affected Parties

All Cloud Service Providers (CSPs) seeking FedRAMP compliance must transition to Rev. 5, impacting those in various authorization phases: planning, initiation, or continuous monitoring.

Transition Timelines

• Planning Phase: For CSPs new to FedRAMP or in the readiness review process.
• Initiation Phase: For CSPs already undergoing assessments or preparing for them.
• Continuous Monitoring Phase: For CSPs with current FedRAMP authorization.

Each phase has specific deadlines to meet the Rev. 5 requirements.

Steps for Transition

1. Develop a Schedule: Include major milestones and activities for transitioning.
2. Update Documentation: Use new templates provided by FedRAMP.
3. Determine Scope of Assessment: Identify specific controls needing assessment.
4. Complete Security Assessment: Follow updated processes for testing controls.
5. Submit Required Reports: Prepare and submit the Security Assessment Plan (SAP) and Security Assessment Report (SAR).

How Securisea Can Help

As an approved FedRAMP Third Party Assessment Organization (3PAO), Securisea is equipped to guide CSPs through the transition. We offer expertise in developing schedules, updating documentation, and performing security assessments to ensure compliance with the new Rev. 5 standards.

By leveraging our experience and thorough understanding of the FedRAMP requirements, Securisea helps streamline the transition process, ensuring CSPs meet their compliance goals efficiently.

For further guidance on transitioning to FedRAMP Rev. 5, please visit FedRAMP Rev. 5 Transition Guide.

Ensuring PCI DSS 4.0 compliance is crucial for organizations handling cardholder data. This latest update not only protects against cyber threats and security breaches but also aligns with the rapidly evolving payment industry and its technologies. By adopting PCI DSS 4.0, organizations can promote security as a continuous, proactive process, staying ahead in a constantly changing digital landscape.

With the rollout of PCI DSS v4.0, understanding and preparing for the changes is essential to avoid compliance delays. Here’s what you need to know about transitioning to PCI DSS 4.0:

Key Dates:

March 31, 2024: Old reporting templates are obsolete.

March 31, 2025: Future-dated requirements must be met.

Preparation Tips:

• Engage Early: Consult a qualified security assessor (QSA) now.
• Use Readiness Assessments: Gauge your preparedness.
• Be Efficient: Leverage compliance reporting from other standards

Understanding the Changes:

• PCI DSS 4.0 increases complexity, requiring detailed documentation.
• Costs may rise due to enhanced requirements and third-party vendor fees.

Planning Tips:

• Self-Assessment: Conduct a self-assessment or readiness assessment.
• Filing Date: Consider moving your filing date to avoid deadline rush.
• Compliance Essentials: Automate evidence collection and compliance management.

Key Takeaways:

Early planning and preparation are vital to manage costs, reduce frustration, and ensure compliance with PCI DSS 4.0. Talk with a Securisea Expert to ensure your compliance with PCI DSS 4.0 standards.

Why Securisea?

Securisea is one of only a handful of audit firms in the world certified to provide CSA STAR, ISO27001 and 27701, SOC2, SOC1, PCI DSS, FedRAMP/StateRAMP 3PAO, HITRUST & HIPAA assessments all under one roof. Their integrated compliance approach allows clients to leverage existing security controls from other frameworks directly into each engagement, reducing overhead and work duplication. 

• Broadly certified and trusted by clients
• 18+ years of successful engagements 
• Remote presence across the US & Canada
• Capable and experienced technical team
• Strive toward client satisfaction
• Engagement process structured toward maximum simplicity
• Flexibility with existing systems, tools, and with scheduling
• Awarded a seat as a GEAR Advisor by PCI Council

‍

On March 11, 2024 the Cybersecurity Infrastructure Security Agency (CISA), released the final version of its common Secure Software Development Attestation Form. 

If your organization sells software to the US government, this release has some extremely important implications. 

The form is being used by Government agencies to fulfill requirements set forth in recent OMB memorandum requiring those agencies to ensure that the software they use is secure by requiring attestations from software developers. 

“Failure to provide any of the information requested may result in the agency no longer utilizing the software at issue. Willfully providing false or misleading information may constitute a violation of 18 U.S.C. § 1001, a criminal statute.” - CISA

The release of the final Secure Software Development Attestation Form triggered a countdown wherein agencies need to begin collection of the forms within three months for “critical software” and within six months for all other software.

• “Critical Software” Deadline - June 11, 2024
• All other Software Deadline - September 11, 2024

Reference: https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security-1.pdf

The self-attestation form states that “A third-party assessment must be performed by a Third Party Assessor Organization (3PAO) that has either been FedRAMP certified or approved in writing by an appropriate agency official. The 3PAO must use relevant NIST Guidance that includes all elements outlined in this form as part of the assessment baseline.

Securisea is a FedRAMP 3PAO (Third Party Assessment Organization) with 18+ years’ experience helping organizations certify their ability to meet stringent security standards. In May 2020, A2LA accredited Securisea as the first FedRAMP 3PAO to be certified through a new process that requires organizations to first become accredited by A2LA's Cybersecurity Inspection Body Program, demonstrate compliance with cybersecurity program requirements for a year, and then transitioning to the FedRAMP program. 

Frequently Asked Questions:

1. Has Securisea conducted any CISA Secure Software Development Attestation assessments? Can Securisea evaluate conformance to all elements in this form? Yes - we have conducted CISA Secure Software Development Attestation assessments for other organizations. 
2. As a 3PAO, is Securisea able to use relevant NIST Guidance that includes all elements outlined in this form as the assessment baseline? Yes - we are able to use relevant NIST Guidance in completing this form. 
3. What is Securisea’s process for conducting the assessment? Our process involves interviewing an organization’s software engineers and reviewing the output of their various procedures that address each of the attestation form's requirements.
4. Approximately how long does each attestation take? The overall timeline will depend on how organized and responsive your organization can be throughout the process, but on average can be completed in just a few months.

Why Securisea?

Securisea is one of only a handful of audit firms in the world certified to provide CSA STAR, ISO27001 and 27701, SOC2, SOC1, PCI DSS, FedRAMP/StateRAMP 3PAO, HITRUST & HIPAA assessments all under one roof. Their integrated compliance approach allows clients to leverage existing security controls from other frameworks directly into each engagement, reducing overhead and work duplication. 

• Broadly certified and trusted by clients
• 18+ years of successful engagements 
• Remote presence across the US & Canada
• Capable and experienced technical team
• Strive toward client satisfaction
• Engagement process structured toward maximum simplicity
• Flexibility with existing systems, tools, and with scheduling
• Awarded a seat as a GEAR Advisor by PCI Council