As a SaaS company, compliance is probably the last thing you want to think about as you kick off the new year. It can be complicated, but meeting compliance requirements can also open up new markets, speed up your sales process, and improve your company’s overall security posture. When it comes to improving your security maturity, compliance can serve as a useful part of your strategy.
Entering new markets, whether you’re targeting specific industry verticals or going after international customers, requires continuous education and awareness about the latest in compliance and regulatory standards as they relate to data privacy and security. With that in mind, this post takes a brief look at key standards in order to give you insights into the security and privacy requirements that may be pertinent to the way your SaaS company engages with prospects and customers and handles sensitive data.
If you are operating in Amazon Web Services (AWS), as many SaaS companies are, you’ll want to make sure that your infrastructure is configured in accordance with CIS benchmarks and AWS best practices. Doing so can help you meet many security and compliance requirements, simplifying your compliance journey from the start.
Once you’ve secured your AWS infrastructure, your next move should be to determine which compliance regulations apply to you now and which ones you want to adopt in the future, and, if you are already compliant, what changes and updates you need to be aware of. This will help determine where your company should focus its compliance efforts for 2018.
As a component of the American Institute of CPAs Service Organization Control reporting platform, SOC 2’s goal is to assure that systems are configured for maximum security and privacy of customer data. SOC 2 is specifically designed for service providers storing customer data in the cloud, meaning that it applies to nearly every SaaS company. It is one of the most common compliance frameworks and, thus, often the first that SaaS companies choose to comply with.
So what does it take to become SOC 2 compliant? SOC 2 goes beyond a simple technical audit, requiring you to establish and follow stringent security policies and procedures that encompass the security, availability, processing integrity, and confidentiality of any data stored in the cloud. In terms of monitoring, it’s important to set up a baseline of normal activity in order to continuously monitor for any unusual behavior. Detailed audit trails will allow for deep, contextual insight into the root cause of any attacks, allowing you to remediate the issues, thereby keeping up with SOC 2 requirements.
The General Data Protection Regulation (GDPR) takes effect in May of 2018 and has many companies scurrying to understand and comply with some of the most stringent privacy standards we’ve seen yet. With beefed up enforcement, the new framework also establishes some of the highest financial penalties for those in breach, so you’ll want to pay attention. GDPR applies to any organization, regardless of location or industry, that processes or stores the personal data of EU subjects.
Enacted by the European Parliament, the Council of the European Union, and the European Commission, GDPR is designed to harmonize data privacy laws across Europe. The mandate aims to empower individuals within the EU to regain control of their data privacy and to reshape the way organizations across Europe approach data privacy, while also addressing the export and use of data by organizations outside the EU.
One major effect of GDPR is the firm legal requirement of “data protection by design” and “data protection by default,” meaning that data controllers must limit the processing of personal data to only what’s necessary for a specific purpose. In the case of a personal data breach, GDPR also requires notification to the supervisory authority or data subject within 72 hours. Compliance can be significantly aided by having data controls baked into systems by design, as well as by employing continuous monitoring and real-time intrusion detection.
While not a regulation per se, ISO/IEC 27001 is a standard that your SaaS organization can choose to comply with to manage information security risks. It can also, optionally, be used as the basis for formal compliance assessment in order for your organization to become certified by accredited certification auditors. ISO/IEC 27001 formally specifies an Information Security Management System, a suite of activities concerning the management of information risks, and lays out an overarching management framework to identify, analyze, and address these risks.
The standard spans industry type, organization size, and market, meaning that it can apply to any SaaS company. The benefit to your SaaS organization of seeking out compliance and accreditation with ISO/IEC 27001 would be to demonstrate that you’re serious about security and to gain competitive advantage in a saturated market.
Because of the wide-reaching nature of ISO/IEC 27001, your SaaS company is free to choose from a menu of information security controls when adopting the standards in order to best meet your particular information risks. Certification, however, requires a host of documentation, including a clear information security policy, a risk assessment process, and evidence of information security monitoring and measurement.
In the following section, we give overviews of HIPAA, which is specific to protecting medical records and other personal health information, followed by PCI DSS, 23 NYCCRR 500, and FFIEC, which relate to businesses operating in the financial sector.
With a major HIPAA audit in 2016 resulting in tens of million of dollars in settlements, HIPAA compliance seems more important now than ever. Around since 1996, and updated multiple times since then, HIPAA refers to the Health Insurance Portability and Accountability Act, U.S. legislation that provides privacy and security provisions to protect individuals’ health data.
The regulations apply to any organization working in healthcare, from hospitals to insurers, as well as to anyone doing business with these organizations. Compliance can be a huge business driver in allowing you to enter the healthcare market. HIPAA compliance requires you to have certain administrative, physical, and technical safeguards in place in order to protect electronic protected health information (ePHI). Read more on this in our ebook.
While the regulations and standards we’ve discussed above are quite far-reaching, there are also a couple of industry-specific standards you may want to consider depending on the profile of your customers — current and future.
The Payment Card Industry Data Security Standard (PCI DSS) is an “actionable framework for developing a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents.” That’s according to the standard’s creators — Visa, MasterCard, Discover, and American Express — who put out the framework in 2004. Applicable to any company that stores, processes, or transmits credit card data, you should consider meeting PCI DSS standards if you deal with (or want to deal with) customers in ecommerce.
PCI DSS lays out 12 requirements for compliance. These include installing and maintaining a firewall, tracking and monitoring all access to network resources and cardholder data, and regularly testing security systems and processes. You can learn more about the requirements in our ebook, Fast Tracking Compliance in the Cloud.
23 NYCRR 500
The New York State Department of Financial Services enacted Cybersecurity Requirements for Financial Service Companies (23 NYCRR 500) last March, so any SaaS company working within the financial space, or looking to expand into finance, will want to familiarize themselves with compliance requirements this year. As we wrote in our blog on the subject, 23 NYCRR 500 applies to any organization licensed to operate under banking, insurance, or financial services laws of New York State. This includes:
- Commercial banks and trust companies
- Check cashers
- Domestic and foreign representative bank offices
- Health insurers
- Life insurance companies
- Money transmitters
- Mortgage brokers, loan originators, and loan servicers
- Property and casualty insurance companies
- Sales finance companies
- Service contract providers
Thus, these regulations apply to most SaaS companies that operate in the finance or fintech space. In order to comply with 23 NYCRR 500, you must conduct a periodic risk assessment of your information systems, and design and maintain a security program based on those assessments to protect the confidentiality, integrity, and availability of your information systems. Compliance also requires that you appoint a Chief Information Security Officer to head up these efforts.
While FFIEC guidance, as expressed in its various publications, may not have the force of law or regulations, it serves as a blueprint for examiners to follow in conducting audits of your institution. Accordingly, if you fail to comply, you could fail an audit and therefore be prevented from entering new markets, introducing new products, or even merging with or acquiring another institution. For these reasons, it’s important for SaaS companies to understand how to meet the requirements of FFIEC guidance.
Whether aiming to enhance security measures or grow your business, it’s never too early to start thinking about compliance for the year ahead, especially with new regulations such as GDPR and 23 NYCRR 500 on everyone’s minds.
Final Words . . .
We know we’ve given you a lot to take in, but a platform such as Threat Stack can help you meet a great number of compliance requirements, allowing you to easily communicate compliance to auditors and customers alike. Don’t allow the multitude of standards and regulations to overwhelm you: Compliance can be a powerful business driver, one that allows you to stand out in the ultra-competitive SaaS market. Creating a strong and actionable compliance roadmap for 2018 is well worth the effort.