Going to RSA? Let us know! Let’s meet

A-LIGN + A-SCEND = The Complete Solution

Organizations are strapped for time and working with limited resources. That’s why many have turned to compliance automation software to streamline processes. 

But software vendors are only one type of compliance vendor you’ll encounter in the market, and they can’t solve all of your compliance needs. Generally speaking, you can classify compliance vendors into three categories: 

  • Compliance Software Vendors: Vendors that offer software products to assist with aspects of cybersecurity and compliance audits (such as evidence collection and review).  
  • Auditors: Experts licensed or approved by certification/authorization bodies to assess an organization’s capabilities against the certification’s standards and practices. Some auditors focus on specialized industries or types of audits, while other larger audit companies provide a suite of services.   

Technology-Enabled Auditors: These providers (like A-LIGN) offer the best of both worlds — certified experts who can complete audits and issue final reports, and proprietary technology to automate and streamline the audit process.  

Selecting the wrong partner for your needs can strap you with hidden costs, lead to reputational damage, and create inefficiencies as your business and cybersecurity posture mature. 

To find the best compliance partner, ask these three questions before you sign a contract.

1. Can the vendor produce reports/certifications?

There’s a common misconception in the world of compliance — software is all I need. While audit software can help streamline audit processes and evidence collection, technology providers cannot provide the actual audits or grant certifications themselves. 

Compliance certifications require specialized assessors trained to evaluate a company against specific standards (see definition of “auditors” above). 

For example, only Third Party Assessment Organizations (3PAOs) grant FedRAMP Authorization, and only accredited ISO certification bodies assess ISO Certification. Similarly, the American Institute of Certified Public Accountants (AICPA) regulates SOC 2 assessments. An external auditor from a licensed CPA firm must complete these examinations. 

If you sign on to use a compliance software solution alone, you risk incurring additional costs when it’s time to call in an auditor. This can also lead to a lack of efficiency and an extended project timeline. Instead, the best thing to do is to work with an audit firm that also offers compliance software to streamline processes and assist with data collection.  

2. What is the compliance vendor’s suite of services?

There are a lot of cybersecurity certifications and audits out there — for different types of companies, industries, and more. As your company grows, you may be required to complete more audits and certifications than you originally planned for. 

For example, you may be focused on SOC 2 right now. But, if you want to expand your business into the Federal government in a few years, you will need FedRAMP Authorization. As you continue to grow your business, services, and tech stack, you also may want to start completing regular penetration tests to check up on your systems and processes.  

Select a vendor with your future in mind. It’s helpful to build a relationship with a compliance vendor who can scale with you. Switching vendors for individual audits can lead to a lack of efficiency, as you’ll have to re-do the extensive evidence collection and systems documentation processes. 

3. Is this a credible compliance vendor?  

Cybersecurity audits and certifications are a great way to gain the trust of potential customers and investors. Just like how organizations go through the audit process, auditors go through an audit process themselves. Auditors must be trained and assessed in their ability to evaluate companies properly against industry standards.  

With that in mind, you’ll want to select an auditor with a track record of success and longstanding relationships with certification and authorization bodies like ISO, HITRUST, and the AICPA, among others. Otherwise, you risk working with an auditor who loses their status — and the reputational damage that may trickle down to you as a result. Opting for a traditional software compliance vendor leaves you most vulnerable to this scenario, as they may choose your auditor for you.  

Complete Compliance with A-LIGN 

A-LIGN is a technology-enabled security and compliance partner that can assist with various audits, reports, and certifications. 

A-LIGN’s services include: 

  • Leading cybersecurity certifications like ISO 27001 or SOC 2 attestation  
  • Industry-specific certifications like FedRAMP, StateRAMP, PCI DSS, HITRUST, HIPAA, and more 
  • Cybersecurity services like Ransomware Assessments and Penetration Testing 
  • Assessments for compliance against privacy laws like GDPR  

Our A-SCEND technology complements the expertise of our auditors by streamlining extensive evidence-collection processes and storing information in a single system of record that can be used across multiple audits and certifications.  

Economic pressures force security, governance, risk, and compliance leaders to do more with less. CISOs are especially vulnerable, as it can be hard to cut corners where data security is concerned.  

By 2023, 30% of a CISO’s effectiveness will be directly measured on the ability to create value for the business. This means that even though security remains a top concern, CISOs will also face growing accountability for the financial success of the organizations they represent.  

To proactively prepare for future changes, A-LIGN has identified three areas for CISOs to concentrate when reducing budgets and helping their organizations generate ROI.   

1. Utilize Technology 

Becoming compliant is necessary to keep clients and win new business but it can be expensive and time consuming if done without technology streamlining the process. Organizations can utilize compliance technology to mitigate the impact of personnel shortages, time-related constraints, and reduction in resources.  

Compliance technology automates many manual tasks from audit processes, such as simplifying readiness assessments and deduplicating audits and evidence collection.  

A-SCEND is A-LIGN’s award-winning compliance automation software. A-SCEND allows teams of all sizes to gain instant visibility into their compliance standing, create policies, and manage evidence in one centralized platform. From automated evidence collection to continuous monitoring, A-SCEND is the end-to-end solution that bridges the gap between auditor experience and technology. 

Beware of the Limitations of Technology

Popular thought is that by enabling integrations into a cloud platform, an organization can become effectively hands-off in its approach to assuring compliance. While this idea may seem like a solution, several influences quickly highlight how cost-ineffective this route can be.  

Only a few of the available integrations consider the nuance of scoping. An organization might have the ability to pull data from its cloud service provider (CSP) quickly. However, a human must evaluate if that evidence applies to the assessment at hand. 

For example, pulling a population of users from an HR system might ease a burden on your HR team, but what if you deliver the wrong list of users? When the concern is providing more than the (minimum) necessary for an assessment, unmanaged integrations are a significant risk. 

Even if your organization adopts compliance technologies, CISOs and Compliance Officers should ensure their team stays actively engaged with the audit processes. 

2. Consolidate Vendors

Audit and compliance automation platforms are not the same as accredited auditors or assessors. This means organizations must still contract with and build relationships with one or many audit firms depending on the attestations and certifications they carry.  

It is common to see third-party compliance firms specializing in delivering either SOC, ISO, PCI, or HITRUST assessment and validation. However, when consolidation is key, many companies make uninformed decisions that increase their workload (and budget). Think of it like choosing to contract with a different cell provider for every cell phone in your home — you quickly realize how little sense it makes. 

Coordination, variety of opinions, and variations in quality and performance all become genuine risks when engaging with multiple assessor firms. Applicability of collected evidence is also a concern. Automation integrations pull some data from cloud platforms, the auditors must determine if that data is necessary to meet their evaluation.  

Audit firms must ensure they collect sufficient data to support the opinion they issue. If opinions vary, the burden to provide satisfactory evidence will always remain an obligation of the assessed entity — which can put organizations in a challenging position.  

3. Don’t Delay Cybersecurity Compliance Certifications

With an uncertain economy, it is easy to understand why some organizations may consider delaying the pursuit of compliance certifications. However, many prospective clients will value your organization’s additional protections to ensure their data remains protected, especially if the client sees an organization’s process is validated by a trusted, independent auditor.      

In particular, SOC 2 and ISO 27001 are two of the most effective cybersecurity frameworks. 

Organizations should proactively complete a SOC 2 audit before a customer requests a final report. This will set you apart from your competition and help you to win new business. 

Additionally, some authorizations, like FedRAMP, require yearly re-assessments. Organizations should seek re-authorization to remain competitive and retain current customers. 

Keep Compliance as a Top Priority

While budget reductions may be coming, CISOs do not need to sacrifice information security. Adopting compliance technology and consolidating vendors can minimize downtime and save money. Additionally, pursuing relevant certifications can attract new clients and increase your business revenue. 

A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks, including SOC 2, PCI DSS, ISO 27001, GDPR, FISMA, FedRAMP, and NIST-based frameworks. Our advisors and auditors can partner with your organization to help you meet all compliance needs, even during times of financial uncertainty.  

Keep forward on your path to success. Begin your compliance journey with A-LIGN today.  

Created in 2020, StateRAMP provides a standardized approach to cybersecurity for cloud vendors working with state and local governments. StateRAMP authorization is required for any organization that wishes to do business with state and local governments. 

If you are seeking StateRAMP authorization, here is a look at the step-by-step process you’ll need to complete with A-LIGN: 

  • Step 1: Pre-Assessment Review 
  • Step 2: Planning Activities 
  • Step 3: Assessment Activities 
  • Step 4: Reporting Activities 
  • Step 5: Earning Authorization

Look familiar? This is very similar to the process for FedRAMP authorization.  

Before You Begin

Before the assessment process gets underway, you’ll need to complete a few initial tasks to help your organization prepare: 

  • Research
  • Obtain a Sponsor (optional)
  • Find a Third Party Assessment Organization (3PAO)
  • Complete a Readiness Assessment (optional)

Research

It’s always good to gain a baseline understanding of StateRAMP and the assessment process before diving into it. Here is some recommended reading to help you begin your research: 

Leverage a Sponsor or the Approvals Committee

Sponsors are individuals or agencies responsible for reviewing a security package and approving StateRAMP Authorized status. Sponsors are the state agency or organization that will eventually be using the cloud product. 

Providers looking to achieve StateRAMP Authorization may choose to leverage a sponsor OR use StateRAMP’s Approvals Committee instead. Either route is acceptable and there is no difference (beyond some minor administrative changes) in the authorization process.  

Find a Third Party Assessment Organization (3PAO)

StateRAMP assessments must be completed by a 3PAO, an organization that has gained special authorization to conduct assessments on behalf of the StateRAMP program.  Any FedRAMP 3PAO is eligible to conduct the assessments but must register with StateRAMP. 

A-LIGN is a StateRAMP-registered assessor and accredited FedRAMP 3PAO. We have a longstanding relationship with FedRAMP and StateRAMP, and served as advisors on how best to adapt the FedRAMP framework into StateRAMP when the program was first created. We also currently serve on the Steering Committee and the Appeals Committee. 

Complete a Readiness Assessment 

Prior to undergoing a StateRAMP assessment you may want to perform a StateRAMP Readiness Assessment and get a Readiness Assessment Report (RAR). During this assessment, a 3PAO looks at your environment to determine if it is technically capable of meeting the StateRAMP requirements. 

A readiness assessment can help identify gaps in controls prior to the official 3PAO assessment — which ultimately will save you time and money in the official audit process. After the assessment, organizations can qualify for StateRAMP Ready status, which designates your organization as one that is qualified to achieve StateRAMP authorization and is in process.  

A-LIGN can provide you with both a readiness assessment, as well as an official assessment for StateRAMP authorization. 

Step 1: Pre-Assessment Review (1-4 Weeks) 

If you have already completed a readiness assessment with A-LIGN and received a StateRAMP Readiness Assessment Report, we will skip this step and move immediately to Step 2 in the process.  

Once you are ready for an official assessment and have signed a contract with A-LIGN, we’ll begin with a pre-assessment review phase.  

During this phase, our team will compare your current environment against the StateRAMP requirements to determine any known issues or gaps that need to be remediated before the official assessment.  

Keep in mind that the quality of the evaluation is dependent on the accuracy and volume of information you provide to us. The more you can provide, the better. Once the review is complete, we will meet with your team to review the findings and outline the next steps.  

Step 2: Planning Activities (4 Weeks)

After the Pre-Assessment Review phase, you will need to submit responses to an initial Information Request List (IRL) that A-LIGN provides you with.  

While you are working on the IRL responses, we will submit a few materials to your sponsor to review. These include: 

  • An Authority to Test (ATT) – This is part of our penetration (pen) test planning and is only required if the system being reviewed is classified as StateRAMP Moderate impact level. Low and Low+ impact levels do not require pen tests under current guidance from StateRAMP. 
  • A Security Assessment Plan (SAP). 

Step 3: Assessment Activities (7 weeks) 

During the assessment phase, we will conduct on-site fieldwork (team interviews) and remote fieldwork (evidence review).  

Keep in mind that we do not begin our evidence review until at least 90% of the IRL evidence is provided by your team. Any delays in evidence collection will result in delays in our review timeline. It’s important to plan ahead so we can stay on schedule throughout the assessment process.  

We will also conduct a pen test at this time. Again, this is only a requirement for StateRAMP Moderate. It is an optional step for Low and Low+. Although it is optional, we highly recommend undergoing this step as a safety net to eliminate any surprises we may encounter during the actual testing phase. 

Once we conduct the penetration test and get through a majority of the evidence review, we’ll provide your team with a draft of a risk exposure table. Your team can then review the draft and create a plan of action and milestones to remediate any initial issues that were found.  

Step 4: Reporting Activities (5 weeks)

Upon completion of our full evidence review and pen test, we will provide you with a draft Security Assessment Report (the next iteration of the initial risk exposure table) and pen test report for review. We will analyze and discuss the findings with your team before drafting a final report for you.  

Once the final report is complete, it will be sent to StateRAMP. 

Step 5: Earning Authorization (2-3 weeks)

The security package is then reviewed by the security professionals at StateRAMP’s Program Management Office (PMO). The PMO will verify the security status of your organization and grant you:

StateRAMP Authorized Status: A status that indicates the product or offering has: 

  • A government sponsor 
  • Meets all the required NIST controls by impact level  
  • Has completed the necessary documentation, including a 3PAO Security Assessment Report 

StateRAMP Provisional Status: A status that indicates the product or offering has: 

  • Met the minimum requirements and MOST critical controls, but not all 
  • Providers listed as provisional may continue to work toward authorized status  

All authorized providers will be listed on the publicly-available Authorized Vendor List (AVL) on stateramp.org, which includes information about the service providers’ products, including impact level, provider type, and security status. The PMO maintains responsibility for continuously monitoring providers listed on the StateRAMP Authorized Vendor List (AVL). 

Get Started Today

For any organization looking to work with state and local government entities, StateRAMP authorization is essential. With careful planning, a solid 3PAO partner, and an understanding of the process and associated timeline, you can streamline efforts to achieve StateRAMP authorization.   

For more information about the StateRAMP process, contact A-LIGN today

Since its creation in 2011, the Federal Risk and Authorization Management Program (FedRAMP) has provided a standardized government-wide approach to assessing the security of cloud computing services. 

However, due to government agencies’ increased adoption of cloud technologies and a rise in cybersecurity attacks, many organizations and agencies have called for an updated version of FedRAMP to address their mounting cybersecurity concerns. 

In late December 2022, the President signed H.R. 7776, the “James M. Inhofe National Defense Authorization Act for Fiscal Year 2023,” into law, which includes the FedRAMP Authorization Act. The official FedRAMP Authorization Act document is nearly 30 pages long and details the proposed changes to the FedRAMP program.  

This blog will discuss everything you need to know about the FedRAMP Authorization Act, along with what the changes mean for organizations.  

1. Codifies secure market expansion into law 

The passing of the FedRAMP Authorization Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. By codifying the FedRAMP Authorization Act into law, FedRAMP will now receive Congressional oversight. With this oversight comes better insight into the cost burdens of FedRAMP Authorization for SMBs

Currently, the FedRAMP Authorization process is quite costly. Organizations that obtain authorization must undergo annual reassessments to retain their authorized status, only furthering the financial strain. The new FedRAMP Authorization Act aims to discover where and how they can alleviate these cost constraints. 

In addition to the above changes, the United States Office of Management and Budget and General Services Administration/FedRAMP Project Management Office will be required to produce and submit reports for Congressional review. These reports will document the metrics and performance standards of the FedRAMP program.  

2. Allows agencies to certify vendors more easily 

One of the FedRAMP Authorization Act’s most important features focuses on reciprocity. Reciprocity gives Cloud Service Providers (CSPs) the ability to authorize and then re-use their already-certified FedRAMP status across other agencies.  

Put simply, this “presumption of adequacy” clause, as it is called in the official documentation, allows FedRAMP-authorized tools to be used by any federal agency without further checks. Formalizing a “presumption of adequacy” for government contractors makes it easier for organizations to certify vendors, opening the door for organizations to get easier access to more cyber-secure services.  

3. Establishes a secure cloud advisory committee 

Additionally, the Federal government seeks to provide more transparency and increased dialogue between themselves and industries. The government wants to drive stronger adoption of secure cloud capabilities and reduce legacy information technology. 

To achieve this goal, the FedRAMP Authorization Act calls for the creation of a Secure Cloud Advisory Committee.  

The committee will consist of 15 members, including five representatives from cloud services companies. Two of the five representatives must come from small cloud vendors. The committee will also contain one representative each from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology. Two serving chief information officers from Federal government agencies would also sit on the committee. 

Secure Cloud Advisory Committee members will work alongside the existing FedRAMP Joint Authorization Board to streamline selection and assessment processes. The two groups will uncover solutions to shorten the time to gain the authority to operate (ATO) and to update the framework over time.  

What does the FedRAMP Authorization Act mean for my organization?  

As of now, there are no immediate changes  to make in regard to obtaining FedRAMP Authorization

But, we do suggest organizations should take advantage of the benefits of the FedRAMP Authorization Act. The Act has made it easier for commercial cloud and software providers to access multiple agencies across the federal marketplace. 

This may provide a valuable opportunity to expand your organization’s work in the public sector — a highly profitable industry. 

Get started with FedRAMP today 

The FedRAMP Authorization Act will remove some of the current FedRAMP authorization bottlenecks and will make it easier for agencies to source FedRAMP ATO providers. For organizations who still need to obtain FedRAMP authorization, now is the perfect time to dive in. 

A-LIGN is one of the top FedRAMP assessors in the world, with a 96% satisfaction rating from our customers. Our experts can help you through every step of the process — from a readiness assessment to final authorization.

Contact A-LIGN today to learn more about our FedRAMP services.

According to a recent ENISA report, strong internal security is no longer enough for organisations, as attackers have already shifted their attention to suppliers.

With many recent cyberattacks on supply chains across Europe, organisations have begun to consider alternative enhancements to their existing security measures. One of these solutions is blockchain-based cybersecurity technology.

IBM defines blockchain cybersecurity as a “comprehensive risk management system for a blockchain network, using cybersecurity frameworks, assurance services and best practices to reduce risks against attacks and fraud.”

Although many solutions using blockchain have been announced, organisations have not rushed to adopt blockchain technology. I believe blockchain can complement efforts to provide an additional layer of security, but it’s important to be wary of the risks associated with cyber cyber supply chain blockchain technology.

Areas of highest risk for supply chains

Supply chains face a number of vulnerabilities — including economic instability, extreme weather events, supplier inconsistency and more. One of the top risks to supply chains are cyberattacks. The NotPetya attack in 2016 paralysed European and American supply chains and cost them nearly $10 billion worth of damage.

There is a reason why supply chains are especially vulnerable to attacks. The organisations making up supply chains aren’t technology companies. In fact, many supply chains still use aging and legacy infrastructure and rely on insufficient third-party software, which opens the door to risk.

Blockchain as a solution

The data structures of blockchain technology are based on consensus, cryptography, and decentralisation principles, which can enhance security.

But despite blockchain technology strongly improving since its inception, it still has several weaknesses in both security and structure that have prevented widespread adoption from organisations across the globe.

Risks associated with blockchain

Some of these shortcomings can make organizations more susceptible to attack. Security risks include:

  • Privacy: All network nodes have access to data on a public blockchain, despite blockchain databases being anonymous and encrypted. This makes it harder to control who has access to specific information.
  • Vulnerable to cyberattacks: Even though blockchain offers greater security than other platforms, it is not entirely safe. Cyberattacks and blockchain’s ​​cryptographic algorithm make it possible to compromise the blockchain network.
  • Private keys: Blockchain requires users to have private keys to access resources or data stored in the blockchain. If a user loses their private key, they can no longer access the wallet — but if a bad actor has taken the key, they potentially can.
  • Data immutability: Once data is written, it cannot be erased. If someone uses a blockchain-based digital platform, they can’t erase its record. Those who have access to the platform can see the data history.

Structural issues associated with blockchain

Along with the security risks facing blockchain, several structural issues exist as well. Some of the structural issues preventing widespread blockchain adoption include:

  • Scalability: Unlike their centralised counterparts, blockchains have limitations in how they can grow alongside a business.
  • Storage: Blockchain databases are stored permanently on all network nodes. Computers can only store a limited amount of data, and blockchain ledgers can outgrow their storage space.
  • Power use: Whenever a new node is created, it connects to all other existing nodes and builds a distributed, continuously updated ledger. This process can require an extraordinary amount of power.
  • ​​Cost and implementation: Even though most blockchain solutions are open source, implementing a blockchain solution can be a costly process. Enterprise blockchain projects can cost well over a million dollars to implement — and that figure does not include expected maintenance costs. 

This is not to say blockchain cannot be used as a valid solution. However, organisations should not rely solely on blockchain technology to keep their supply chains safe.

How to keep supply chains safe

On 15 September 2022, the European Union announced it would be advancing legislation to strengthen security requirements for all digital hardware and software products.

Even with this new framework, ENISA continues to highlight its recommendations for customers and suppliers to minimise the risk of a supply chain attack, whether they use blockchain solutions or not.

Recommendations for customers include:

  • Identifying and documenting service providers and suppliers.
  • Defining risk criteria for different types of suppliers and services (for example, supplier and customer dependencies, critical software dependencies, and single points of failure).
  • Continuous monitoring of supply chain risks and threats, this includes architecture and supported systems.
  • Managing suppliers throughout the complete lifecycle of a product or service, including end-of-life products or components.
  • Classifying assets and information that are shared with (or accessible) to suppliers, defining relevant procedures for accessing and handling them.

As for suppliers, ENISA recommends:

  • Confirming that the infrastructure used to design, develop, manufacture, and deliver products, components and services follow proper cybersecurity practices.
  • Implementing consistent product development, maintenance and support processes.
  • Continuous monitoring of security vulnerabilities reported by internal and external sources, including used third-party components.
  • Maintaining an inventory of assets that include patch-relevant information.

A-LIGN can help mitigate risk

No one security posture can keep you safe. Organisations should not rely on security processes or frameworks alone. For maximum protection, you must put your security controls to the test.

Penetration testing is designed to assess the cybersecurity of your organisational technologies and systems. A-LIGN’s OSEE, OSCE, and OSCP Certified Penetration Testers employ automated and manual techniques to find weaknesses in servers, end-user workstations, wireless networks and web-based applications. They also assess security awareness, and the human-layer and physical facility controls to provide a complete picture of an organisation’s level of protection.

If you would like to test your organisation’s systems, contact A-LIGN today.

Today’s hackers are setting their sights on cloud resources. Just recently hacker group Cloaked Ursa – also known as APT29, Nobelium, and Cozy Bear — executed a massive effort targeting Google Drive and Dropbox.  

Cloud breaches are leaving companies across industries vulnerable to hacks. In the last few months of 2022, password manager LastPass suffered a data breach when hackers gained access to a third-party cloud storage service and HR software maker Sequoia reported a breach of its cloud storage repositories, which put customers’ sensitive personal data at risk.  

How can you prevent something similar from happening within your organisation? The most important thing to do is to identify vulnerabilities exist. For most organisations, that includes: 

  1. The Human Element (People)  
  1. Logging and Monitoring procedures 
  1. App integrations and 3rd party components or libraries 

In this blog, we’ll provide cloud security tips to help your organisation strengthen these vulnerable areas to decrease the likelihood of an attack.  

Cloud Security Tip #1: Educate Employees to Prevent Social Engineering Attacks 

Many breaches involve a form of social engineering, where hackers exploit the human element to trick people within an organization into providing some sort of access to sensitive data. In fact, in a recent survey, 75 percent of respondents cited social engineering/phishing attacks as the top threat to cybersecurity at their organization.  

Phishing is a very common strategy and most often takes the form of emails, website forms, or phone calls that encourage readers to click a link that is used to install malware or reveal personal information like credit card numbers, social security numbers, or account login credentials. Hackers have become quite sophisticated in their efforts, impersonating colleagues or other reputable sources to deceive employees.   

Organization’s must prioritize educating their employees about these attacks, so breach attempts can be more easily identified and thwarted. It’s helpful to share examples of phishing attempts throughout your company so employees can better identify authentic communications.  

It’s also important to educate employees on an ongoing basis. Hackers are constantly updating/changing their methods — they switch methods once a new one is proven to be effective. With that in mind, your education efforts for employees (also known as security awareness training) should focus on relevant current attacks/threat vectors being used by bad actors.  

Cloud Security Tip #2: Use Automation to Mitigate Logging and Monitoring Vulnerabilities 

Hackers often take advantage of insufficient logging and monitoring procedures, which give them more time to penetrate systems unnoticed. This is a huge advantage for them. With more time to discover exploitable vulnerabilities, hackers can increase the likelihood of maximum damage.  

While hackers poke around your systems, your organisation may not even notice a system anomaly that needs to be investigated.  

The most common insufficiencies we see across organisations include: 

  1. Logging level configuration issues. When logging levels aren’t set correctly or are set too low, you can miss alerts about unexpected activity that require investigation. 
  1. A lack of log sources configured or onboarded. Without log sources, your organisation has no visibility into critical areas of your infrastructure — and therefore can’t detect suspicious activity.  
  1. Insufficient error messages. When error messages lack key details, it’s impossible to contextualize anomalies and decide if they need to be investigated. 

Consider using automated solutions to improve your logging and monitoring processes. This will allow you to notice and respond to anomalies at scale. 

Cloud Security Tip #3: Conduct Penetration Tests to Secure App Integrations 

Web applications are particularly vulnerable to attacks. Nowadays there are so many integrations that threat actors can take advantage of. Particularly, threat actors have been able to move laterally across the cloud with applications that were either not developed securely or have vulnerabilities within the integrations themselves. 

To monitor your app integrations, it’s essential to conduct regular penetration tests. Your organization should regularly test to identify weaknesses in web applications before an attacker identifies them. This includes testing to ensure integrations are supported and updated.  

A penetration test will show if there are unintended vulnerabilities that can be used to move laterally across different parts of your organisation’s cloud, so you can perform the necessary remediations immediately. 

Secure Your Cloud Resources Today 

Don’t wait to secure your cloud resources. Hackers continue to become more sophisticated with new strategies to discover vulnerabilities within any environment and target sensitive information. A breach can cause financial losses, reputational damage, and result in expensive GDPR fines and penalties for your organization.  

Start the process to protect your resources today by conducting a penetration test to identify your biggest areas of concern.  

Watch this video so you know what to expect during the process then contact the experts at A-LIGN to set up your first test. 

Over the last couple years, more and more organisations conducting business throughout the European markets have been seeking a SOC 2 assessment in addition to the ISO 27001 certification. So much so, many have begun to speculate whether the US originated SOC 2 audits will replace the need for the international ISO 27001 certification in these EMEA markets.   

The short answer: Not quite. 

While both provide some level of assurance to clients and regulating bodies, a SOC 2 assessment and an ISO 27001 certification by definition are two different processes.  

ISO 27001 is an internationally recognised standard with a framework of controls that can be applied to any organisation, regardless of the size or sector, with a pass/fail certification decision.   

A SOC 2 assessment is an audit standard created by the American Institute of Certified Public Accountants (AICPA) in which a CPA (Certified Public Accountant) will review your policies, procedures, and systems against five categories called Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). The independent assessor’s detailed SOC 2 report contains their expert opinion of how well the organization meets the selected criteria in regard to protecting all aspects of its systems.

Why the speculation?  

The rising use of SOC 2 in the US over the past decade is due to many large companies becoming more proactive about their cybersecurity risk management. These organizations began setting forth requirements stipulating that their vendors must have a SOC 2 report ready as part of the due diligence process. 

Over the past two years, a similar chain of events has started to play out in Europe. Increasingly, companies in certain key industry sectors require SOC 2 reports so they can determine whether organisations along the supply chain have the necessary controls in place to protect the data of all parties involved.  

The SOC 2 report is more in-depth than an ISO 27001 certificate. With the result of a SOC 2 assessment being an extensive attestation report up to 150+ pages in length, it tends to give a company’s partners and clients a higher level of detail about their security posture compared to the result of an ISO 27001 audit which is simply a one-page certification letter. This is one of the leading reasons why the cybersecurity compliance norm in Europe is beginning to welcome SOC 2 as an excellent supplemental security framework.    

Which is better: SOC 2 or ISO 27001?  

Because the two differ in scope and function, identifying one as superior over the other isn’t the correct way to think about it. Depending on the organization’s goals and capabilities, one may be better to prioritize as the first approach to security. Identifying which one is right for your organization can be done by consulting with an information security governance, risk and compliance management consultancy firm.  

You may find that leveraging both a SOC 2 assessment and an ISO 27001 certification only increases the efficacy and durability of your cybersecurity posture, enabling you to tap into the US and EMEA markets with a greater competitive edge. Utilising audit consolidation tools such as A-SCEND allows organizations to easily satisfy multiple audit requirements by deduplicating evidence collection, saving time and resources during the completion of both audits.  

Different Markets Require Different Compliance Needs 

In addition to SOC 2 and ISO 27001, there are several different certifications and standards that organizations can leverage to remain compliant in their region of operation and improve their security posture. For organizations who wish to do business in the UK, attaining a Cyber Essentials (CE) Certification (a certification developed by the UK Government and industry to help protect organizations against common online attacks) is a must. Additionally, compliance with the Data Protection Act 2018 is another compliance requirement unique to the UK. 

Equally, operators of essential services (OES) and related digital service providers (RDSPs) in the EU must adhere to the NIS Directive (Directive on security of network and information systems). Any company conducting business and/or processing EU residents’ personal information must comply with the GDPR (General Data Protection Regulation). 

Strengthening Your Business’s Compliance Programme    

Ensuring the privacy of consumer data and the protection of information will continue to be of utmost importance for your organisation in the coming years. If you’re looking to fine-tune your business’s compliance programme in order to abide by the latest regulations, while also winning new business, A-LIGN can help. Our expertise spans privacy impact assessments, GDPR-related services, ISO 27001 Certification and SOC 2 examinations. We have everything needed to take your compliance program to new heights in 2023. 

Are you confident in your organisation’s personal data because of the security measures, policies and procedures you have in place? For many organisations, this is a false sense of security. Establishing policies and procedures is not a one and done task. Cybersecurity efforts should involve your entire organisation from the top down and be treated as an ongoing effort.

With the shift to remote work came a drastic increase in data breaches, making cybersecurity more important than ever before. In this article, we will review the importance of data protection and establish how zero-trust architecture will help to better secure your European organisation’s personal information.

Data Protection- The Baseline to Cybersecurity

Data protection concentrates on the data itself, closely tracking who is using it and where it’s being sent, and blocks access based on certain conditions previously set. Establishing these conditions are the baseline steps to help to protect your organization against cybercrime. 

Since hackers can only steal information that is accessible to them once they gain access, one of the most effective ways to mitigate risk is to limit the data collected. For example, you shouldn’t collect any information that is not directly relevant to your business. If you must collect the data, be sure to set a retention time holding policy to direct staff on when to purge the data. This organisational practice applies not only to data stored on premise, but also in the cloud.

Employee education also directly ties into data protection. The majority of employees will trust they are purging data when they simply remove the documents from their desktop, not realising duplicate files are also located within their computer. Learning how to properly dispose of data will drastically minimise the amount of data that can be compromised if hit by malicious threat actors.

Data protection is a common practice for European organizations. We are now seeing the U.S.-driven approach of zero trust gaining traction in the E.U. as an additional layer of cybersecurity. In response to the SolarWinds attack in 2020, the National Cyber Security Centre (NCSC) encouraged the widespread adoption of zero-trust security frameworks.

What is zero trust?

Establishing a zero-trust architecture means that your organization will restrict access to resources to only employees who need them. Every time an employee wants to access data or a resource, they must reauthenticate and prove who they are and that it’s necessary to their job function. Zero trust uses the methodology of least privilege, never trust, always verify.

Adding a zero-trust architecture to your data protection protocols will help to strengthen the security of your European organisation. The zero-trust principles assume that an internal network is already infected with many threats and creates an additional wall of protection to stop the spread and avoid becoming a cybersecurity event.

Driven by the SolarWinds attack, the General Data Privacy Regulations (GDPR) and the recent COVID-19 pandemic, European organisations need extra layers of security to best mitigate the threat environment.

Harden Your Organization’s Cybersecurity

Assuming a European organization has already established data protection standards and a zero-trust architecture, they should identify and highlight threat and risks with penetration testing and vulnerability scans to minimize the attack surface.  

Penetration tests (pen tests) are simulated cyberattacks performed by ethical hackers to assess the cybersecurity posture of your technology and systems. The process is carried out on real systems and data using the same approach a malicious hacker would use. It’s important to note that the data or personal information collected is not sold or distributed in any way.

To add an additional layer of security, consider undergoing a vulnerability scan. This exercise checks an organization’s network and systems against a database of known vulnerabilities. If your organization pairs a vulnerability scan with a pen test, you’ll have a more holistic view of your security posture to remediate any known vulnerabilities.

Prepare for a Cyberattack

It will be no surprise that human error is cited as the number one cause of data breaches and cybersecurity events. Examples of human error include default password usage, lost devices, unlocked devices, incorrect disclosure procedures, failure to manage system patches etc. As you can tell from this list, cybersecurity education for all employees is necessary and can help to prevent data breaches caused by human error.

When it comes to keeping your organization secure, it’s not a matter of if but when a cyberattack will occur. It’s important to take a proactive approach to cybersecurity by establishing your data protection plan and zero-trust architecture, then hardening your security posture with penetration testing and vulnerability scans. Putting all these tools in place now will help your organization avoid a costly cybersecurity attack in the future.

Is your European organization ready to implement zero trust? Our certified experts can help you today.