GDPR: What Compliance Says vs. What DevOps Hears

The deadline for the General Data Protection Regulation (GDPR) is fast approaching, with May 25 marking the official day of reckoning. The updates to the data protection directive of 1995 (Directive 95/46/EC) are designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy rights, and to reshape the way organizations across the EU approach data privacy.

There’s a likelihood that Compliance has approached your DevOps team to get on board. But when Compliance talks, what do you hear? Are you truly understanding what’s required of you to become GDPR compliant? Let’s take a look at some of the possible gaps in knowledge below. Read more “GDPR: What Compliance Says vs. What DevOps Hears”

How Sigstr Built Customer Trust with Threat Stack and AWS Security — Webinar Recap

On April 24, I had a great conversation with Sam Smith, the Chief Architect for Sigstr, a fast-growing SaaS platform for email signature marketing. Sigstr’s infrastructure is hosted and managed on AWS and secured by Threat Stack. Every day, Sigstr consumes and processes employee contact information from HRIS systems, customer information from marketing automation platforms, and email behavior data — which makes cloud security and data privacy key concerns for both Sigstr and its customers.

Sam’s team is a great model of how to make security a top business differentiator and sales driver. Since many of Sigstr’s customers are enterprise companies with significant risk concerns, the team has consistently been responsive to questions such as:

  • How does Sigstr access, store, and protect data?
  • How is the application’s infrastructure monitored and secured?
  • Had Sigstr undergone SOC 2 compliance or ISO 27001 compliance audits?
  • How could Sigstr help them meet GDPR requirements?

During the webinar, he shared information on how the startup managed to be so responsive to its customers’ security needs, while still maintaining a rapid pace of growth. Read more “How Sigstr Built Customer Trust with Threat Stack and AWS Security — Webinar Recap”

Are You Ready for GDPR Compliance? Here’s a Checklist.

The European Union’s General Data Protection Regulation (GDPR) is going into effect in just two months — on May 25, 2018. Yet a recent Forrester report indicates that only about 30% of companies say they’re ready to comply, and at least some of those firms are actually overstating their readiness.

If you haven’t completed your preparations or you’re not confident about your status, we’ve created the following checklist to help your organization prepare for the upcoming changes. We hope you find it useful. Read more “Are You Ready for GDPR Compliance? Here’s a Checklist.”

How to Achieve Type 2 SOC 2 With Zero Exceptions — Webinar Recap

SOC 2 compliance is one of the most common customer use cases we come across here at Threat Stack. Developed by the American Institute of CPAs (AICPA), the framework is designed for service providers storing customer data in the cloud, and SaaS companies among others often turn to us as they begin to feel overwhelmed by the requirements.

Having undergone a Type 2 SOC 2 examination ourselves, Threat Stack’s Senior Director of Operations Pete Cheslock, and Senior Infrastructure Security Engineer Pat Cable, gathered for a webinar recently to discuss exactly what we did to achieve SOC 2 compliance with zero exceptions. Read the recap below, or listen to the full webinar here. Read more “How to Achieve Type 2 SOC 2 With Zero Exceptions — Webinar Recap”

sockembot: How Threat Stack Added Automation & Visibility to its SOC 2 Change Management Process

At Threat Stack, we often talk about visibility. We have promoted visibility from an operations perspective and have given our customers visibility into their environments through our intrusion detection platform. But when it comes to change management, how do we give ourselves the same level of visibility into our internal process changes at Threat Stack? This became a very real question as we decided to roll out our Type 2 SOC 2 program over the last year, and the answer turned out to be sockembot —  an automated SOC 2 compliance checking bot that we describe in this blog post. Read more “sockembot: How Threat Stack Added Automation & Visibility to its SOC 2 Change Management Process”

How to Get Your SaaS Company SOC 2 Compliant With Minimal Headaches

SOC 2, which was developed by the American Institute of CPAs (AICPA), is specifically designed for service providers storing customer data in the cloud, which means that it applies to nearly every SaaS company operating today.

So, what is SOC 2 exactly? While the framework is a technical audit, it goes above and beyond this to require that companies establish and follow strict information security policies and procedures. The criteria for developing these policies and procedures is based on five “trust service principles” to ensure:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy of customer data

Compliance can be evaluated by independent auditors who assess a company’s ability to comply with these five principles.

SOC 2 is one of the more common requirements that SaaS companies must meet, but that doesn’t make compliance any simpler or dealing with an audit any less exacting. In this post we have laid out the most important requirements and the steps you should take to become compliant quickly in order to stay out of trouble with auditors and compete in a crowded SaaS market. Read more “How to Get Your SaaS Company SOC 2 Compliant With Minimal Headaches”

GDPR: What is the Right to Erasure?

Introduction

— by David Weinstein, Senior Security Engineer, Threat Stack

The other week, Chris Lippert, Privacy Technical Lead at Schellman & Company, LLC., wrote an excellent blog post that explores overlaps and differences between GDPR and other frameworks, including ISO/IEC 27000, NIST, and PCI, as well as ways organizations can start to bridge the gaps to achieve alignment with GDPR.

In this post, Frank Kyazze, Senior Associate at Schellman, zeroes in on one of the questions that sit at the heart of the GDPR: “What is the Right to Erasure?” In this highly informative article, Frank explains some of the rights of data holders, responsibilities of data controllers, and best practices for effectively responding to requests for erasure. Read more “GDPR: What is the Right to Erasure?”

T-72 Hours to Report a Breach – Are You GDPR Ready? – Webinar Recap

The GDPR deadline is looming large. With fewer than 100 days until May 25, many U.S. companies are still unsure what their responsibilities are under GDPR and what steps they need to take to meet new requirements.

To help you prepare, Threat Stack product marketing manager Hank Schless got together with Paul-Johan Jean, GDPR legal consultant at Sphaerist Advisory to give a high level-summary of GDPR responsibilities for U.S. companies in a recent webinar. You can either stream the archived webinar right now, or read the recap below. Read more “T-72 Hours to Report a Breach – Are You GDPR Ready? – Webinar Recap”

Threat Stack Successfully Completes Type 2 SOC 2 Examination

Threat Stack is proud to announce that we have successfully completed a Type 2 SOC 2 examination for the Security and Availability principles with Schellman & Co for our intrusion detection platform and Oversight Managed Service.

This accomplishment is especially exciting for the Threat Stack team because we were able to pass our first SOC 2 examination with zero exceptions — without having taken the organization through any similar experiences before — underscoring our commitment to maintaining rigorous security standards in our company’s technology, processes, and personnel along with the highest level of security and privacy for our customers.

In this post, we want to share highlights of Threat Stack’s SOC 2 journey — why we chose this standard, the process we followed, and our commitment to our customers. In upcoming posts we’ll provide more detailed specifics as our customers go through similar journeys. Read more “Threat Stack Successfully Completes Type 2 SOC 2 Examination”

GDPR vs. Existing Frameworks: Overlaps, Differences, and Filling the Gaps

Introduction

— by Pat Cable, Senior Infrastructure Security Engineer, Threat Stack

From time to time Threat Stack invites industry experts to share our blog space, and in today’s post, Chris Lippert, Privacy Technical Lead at Schellman & Company, LLC., takes a look at the General Data Protection Regulation (GDPR), a topic that is on everyone’s mind, whether they’re prepared for it or not.

In this post, Chris explores what’s unique about the GDPR, how it overlaps with existing frameworks including ISO/IEC 27000, NIST, and PCI, and points to how you can leverage your current controls to meet many of the security considerations for personal data under Article 32, as well as other requirements of the GDPR, such as data protection policies or vendor management.

Without further ado, here are Chris’ insights into GDPR. Read more “GDPR vs. Existing Frameworks: Overlaps, Differences, and Filling the Gaps”