Author: sociumcs

NIST Cybersecurity Framework (CSF 2.0)

  • NIST Cybersecurity Framework (CSF 2.0)

NIST Cybersecurity Framework (CSF 2.0)

The NIST (National Institute of Standards and Technology) Cybersecurity Framework (CSF) was established as a result of an executive order by former President Obama to improve critical infrastructure cybersecurity through partnership and collaboration. Compliance to this standard is voluntary but this framework is often used as a basis to assess cybersecurity program maturity, practice gaps, and mitigation roadmaps due to its flexibility and common language. The NIST CSF is currently in version 1.1 as of April 2018.

The NIST CSF version 2.0 is comprised of 6 key Functions – Govern, Identify, Protect, Detect, Respond, and Recover.

Under the 6 Functions are 23 Categories and 106 Subcategories (control activities).

Who does it apply to?

The NIST CSF applies to almost all cybersecurity programs and is commonly used as a reference framework within the US and North America. It is often used to assess program maturity and provide a basis of reporting to internal and external stakeholders regarding the overall security posture.

How can Socium Security help?

Socium Security can provide companies of all sizes an independent program maturity assessment based on the NIST CSF using a standard methodology. This service is typically paired with a Security Architecture Assessment that includes an assessment, report, and risk-based recommendations around the IT architecture, data processing, and security controls in place. Together, this provides management and technical stakeholders a complete picture of the current state security posture.

If your cybersecurity practices are operating with measurable maturity, consider testing the program’s capabilities with a crisis management exercise or penetration test by Socium Security6

NIST 800-218 Software Development Framework

  • NIST 800-218 (SSDF)

    Secure Software Development Framework







NIST 800-218 SSDF

NIST 800-218, also known as the Secure Software Development Framework (SSDF), provides guidelines and best practices for integrating security into the software development lifecycle (SDLC). Published by the National Institute of Standards and Technology (NIST), this framework is designed to help organizations produce software that is secure by design, reducing vulnerabilities and improving resilience against attacks.

  1. Prepare the Organization (PO):
    1. Establish security practices and governance for software development.
    2. Ensure roles, responsibilities, and policies are clearly defined.
    3. Integrate security training for development teams.
  2. Protect the Software (PS):
    1. Implement security controls during the development process.
    2. Use tools like static and dynamic analysis to identify vulnerabilities.
    3. Manage security risks for third-party software and components.
  3. Produce Well-Secured Software (PW):
    1. Implement coding practices that ensure secure design and functionality.
    2. Regularly test and review the code for vulnerabilities.
    3. Employ secure coding standards and automated security testing tools.
  4. Respond to Vulnerabilities (RV):
    1. Establish processes for handling and responding to discovered vulnerabilities.
    2. Implement patch management and updates to address security gaps.
    3. Coordinate with stakeholders to mitigate risks from vulnerabilities.

Sample of tasks organized by Groups and Practices:

A full list of tasks mapped to practices can be found here. For a download of the spreadsheet in Excel (.xlxs format), email: [email protected]  

Who does it apply to?

NIST 800-812 SSDF is essential for various organizations, particularly those developing or managing software supply chains.

  1. Software Development Organizations

    • In-house Development Teams: Organizations that build software internally should use NIST 800-218 to integrate security into their development processes, ensuring their applications are secure by design.
    • Software Vendors: Companies that produce software products for other businesses or consumers must adhere to secure development practices to maintain trust and avoid security issues that could harm their reputation.
  2. Organizations in Regulated Industries

    • Finance, Healthcare, and Government Sectors: These industries often have strict compliance requirements related to data security and privacy. Implementing the SSDF helps organizations demonstrate that they are following best practices, which may be required by regulations like HIPAA, GDPR, or PCI-DSS.
    • Critical Infrastructure (e.g., Energy, Transportation): Security vulnerabilities in software used by critical infrastructure can lead to significant disruptions. NIST 800-218 helps ensure that software development in these sectors is secure and resilient. 
  3. Federal Agencies and Contractors

    • U.S. Federal Government: Agencies are required to follow NIST standards, including 800-218, to ensure the security of their software. This is part of a broader effort to strengthen the cybersecurity posture of the federal government.
    • Government Contractors: Companies that develop software for the federal government must comply with NIST standards, including 800-218, to meet contractual obligations and ensure they can continue working with federal clients.
  4. Organizations Managing Third Party Software

    • Enterprises Using Third-Party Software Solutions: Many organizations rely on software developed by third parties. NIST 800-218 can help these organizations set standards and requirements for the software they acquire, ensuring vendors follow secure development practices.
    • Managed Service Providers (MSPs): MSPs that develop, deploy, or manage software solutions for clients should use the SSDF to ensure the security of the applications they handle, reducing the risk of vulnerabilities that could impact multiple customers
  5. Any Organization Seeking to Enhance Cybersecurity Posture

    • Startups and SMBs: Smaller companies, particularly those with limited security expertise, can benefit from adopting NIST 800-218 to establish secure development practices from the outset.
    • Enterprises with Digital Transformation Initiatives: As organizations move towards more software-driven models, integrating security into software development is crucial to avoid introducing vulnerabilities.

How can Socium Security help?

Socium Security can provide companies of all sizes an independent program maturity assessment based on the NIST CSF using a standard methodology. This service is typically paired with a Security Architecture Assessment that includes an assessment, report, and risk-based recommendations around the IT architecture, data processing, and security controls in place. Together, this provides management and technical stakeholders a complete picture of the current state security posture.

If your cybersecurity practices are operating with measurable maturity, consider testing the program’s capabilities with a crisis management exercise or penetration test by Socium Security

Cybersecurity Needs Football Practice

  • The Fundamentals of Football and Cybersecurity: A Playbook for Success

Cybersecurity Could Use Football Practice

In the world of football, victory is achieved through meticulous planning, discipline, and teamwork. The same principles apply to cybersecurity. At first glance, these two fields might seem worlds apart, but a closer look reveals striking similarities in their foundational strategies. Whether you’re protecting your end zone or your organization’s data, success hinges on a strong defense, adaptability, and constant vigilance. Let’s explore how the fundamentals of football can provide valuable lessons for robust cybersecurity.


1.    The Game Plan: Strategy and Preparation

In football, a well-thought-out game plan is essential. Coaches analyze opponents, anticipate their moves, and devise strategies to counter them. Similarly, in cybersecurity, preparation is key. Organizations must understand their threat landscape, identify vulnerabilities, and develop a comprehensive strategy to protect their assets. Just as a football team studies game tapes to anticipate plays, cybersecurity teams must conduct regular risk assessments, threat modeling, and scenario planning to stay ahead of potential attacks.


2.    The Defensive Line: Perimeter Security

A football team’s defensive line is its first line of defense, tasked with stopping the opposing team from advancing. In cybersecurity, perimeter security serves the same purpose. Firewalls, intrusion detection systems, and antivirus software form the initial barrier against cyber threats. Just as a defensive line needs to be strong and impenetrable, so too must an organization’s perimeter defenses be robust and up-to-date, capable of thwarting the majority of threats before they reach critical systems.


3.    Linebackers and Safeties: Monitoring and Incident Response

Linebackers and safeties are responsible for monitoring the field and reacting quickly to threats that breach the defensive line. In cybersecurity, this role is mirrored by monitoring systems and incident response teams. These elements are crucial for detecting suspicious activity and responding to breaches in real-time. Like football players reading the offense’s moves, cybersecurity professionals must be adept at recognizing and reacting to signs of an attack, mitigating damage before it escalates.


4.    Teamwork and Communication: Coordination Across the Organization

Football is a team sport where success relies on seamless coordination between players. Each member must understand their role and communicate effectively to execute plays. The same is true for cybersecurity. Effective cybersecurity requires a collaborative effort across the entire organization. From IT teams to executives, every stakeholder must understand their responsibilities and maintain open lines of communication. Just as miscommunication on the field can lead to a touchdown, breakdowns in communication within an organization can lead to successful cyberattacks.


5.    Adapting to the Opponent: Continuous Improvement

In football, teams must adapt their strategies throughout the game. Halftime adjustments based on the opponent’s tactics can make the difference between winning and losing. Cybersecurity operates under the same principle of continuous improvement. Cyber threats are constantly evolving, and organizations must stay agile, regularly updating their defenses, and learning from past incidents. Just as a football team reviews its performance after each game, cybersecurity teams should conduct post-incident analyses to improve their defenses and response strategies.


6.    The Playbook: Policies and Procedures

Every football team has a playbook—a collection of strategies, plays, and tactics designed to lead them to victory. In cybersecurity, the playbook consists of policies, procedures, and guidelines that govern how an organization protects its information assets. These documents outline best practices for data protection, user access, and incident response, ensuring that everyone in the organization knows their role in maintaining security. A well-crafted playbook is essential for both football teams and cybersecurity teams alike, providing a clear path to success.


7.    The Goal Line: Achieving Success

In football, the ultimate goal is to score points and win the game. In cybersecurity, the goal is to protect the organization’s data and maintain its integrity, availability, and confidentiality. While the stakes are different, the fundamentals of achieving success are remarkably similar. Both football teams and cybersecurity teams must remain disciplined, vigilant, and adaptable, constantly working to improve their strategies and defenses.


Football teams and Cybersecurity teams are more similar than you think…

Whether on the football field or in the world of cybersecurity, the fundamentals of success remain the same: preparation, strong defense, teamwork, and adaptability. By applying the lessons learned from football, organizations can build a cybersecurity program that is not only resilient but also capable of evolving in the face of new challenges.


At Socium Security, we understand the importance of these fundamentals. We help organizations develop tailored cybersecurity strategies that reflect the unique needs of each business and support the operation of the required practices and capabilities. Football and cybersecurity both take a team to be successful.

By drawing parallels between football and cybersecurity, this blog post highlights the importance of preparation, defense, teamwork, and adaptability in achieving success in both fields. It’s designed to resonate with readers by using familiar concepts to explain complex cybersecurity strategies, making the content more engaging and relatable.


Refer to the NIST CSF 2.0 Govern and Identify functions to start organizing your approach and strategy. 

If your cybersecurity practices are operating with measurable maturity, consider testing the program’s capabilities with a crisis management exercise or penetration test by Socium Security.

PCI DSSv4.0

  • Payment Card Industry (PCI)

Updated Regulation for PCI DSSv4.0

What is PCI DSS?

The PCI Security Standards Council (PCI SSC) serves as a worldwide platform where stakeholders in the payments industry collaborate to establish and promote data security standards and resources, ensuring secure payments on a global scale.  Their updated regulations for PCI DSSv4.0 allow for a flexible approach to meet the standard requirements with the introduction of a “Customized Approach” in addition to the “Defined Approach”. Note: the “Customized Approach” is only recommended for entities with a robust security program and risk management practices.

Approaches to PCI DSSv4.0

What are the drivers behind the update?

  • Ensure the standard meets the security needs of the Payment Card Industry (PCI)
  • Add flexibility to support different methodologies to achieve security
  • Promote security as a continuous process
  • Enhance validation methods and procedures

When will updated regulation for PCI DSSv4.0 go into effect?

  • Existing PCI DSSv3.2.1 will remain active for 2 years (through March 31, 2024)
  • New PCI DSSv4.0 requirements will go into effect March 31, 2022, and either version can be used until March 31, 2024.
  • After March 31, 2024, the updated regulation for PCI DSSv4.0 will be required.

What do I need to do?

  • Review the updated requirements of PCI DSS (Link).
  • Determine whether the Defined Approach or Customized Approach is best for your organization, and consult with your Assessor if the Customized Approach is the preferred validation approach.
  • Define an implementation plan for the updated requirements.
  • Determine when the  assessment will become effective for your organization (prior to March 21, 2024)

Process for PCI DSSv4.0

How can Socium Security help?

Socium can assist entities that are designing their security programs for PCI DSS compliance with services around completing the Self-Assessment Questionnaire (SAQ) and penetration testing services on in scope systems.

How can I learn more?

Refer to the PCI DSSv4.0 Resource Hub for information, documentation, and updated news regarding v 4.0.

Overview of PCI DSSv4.0

California Privacy Rights Act (CPRA)

  • California Privacy Rights Act (CPRA)

CPRA

The California Privacy Rights Act (CPRA) is a ballot measure approved by voters in November 2020.

Who is a ‘consumer’?

A consumer is natural person who is a California resident, as defined in the state’s tax regulations.

What rights do consumers have?

The CCPA creates six specific rights for consumers:

  1. the right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom;
  2. the right to delete personal information collected from the consumer;
  3. the right to opt-out of the sale of personal information (if applicable);
  4. the right to opt-into the sale of personal information of consumers under the age of 16 (if applicable);
  5. the right to non-discriminatory treatment for exercising any rights; and
  6. the right to initiate a private cause of action for data breaches.

The CPRA creates two additional rights:

  1. the right to correct inaccurate personal information; and
  2. the right to limit use and disclosure of sensitive personal information.

What is a consumer’s personal information’?

The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

What is a consumer’s ‘sensitive personal information’?

SPI is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals:

  • a consumer’s social security, driver’s license, state identification card, or passport number
  • a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
  • a consumer’s precise geolocation
  • a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership
  • the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication
  • a consumer’s genetic data

What constitutes a ‘sale’ of personal information?

The CCPA defines a “sale” as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

What does ‘sharing’ personal information mean?

The CPRA defines “sharing” as renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

When does CPRA go into effect?

The CPRA took effect on Dec. 16, 2020, but most of the provisions revising the CCPA won’t become “operative” until Jan. 1, 2023.

How can Socium Security help?

Socium Security can assist organizations with building a privacy program that will enable compliance with existing Privacy related regulations including the CPRA.

California Consumer Privacy Act (CCPA)

  • California Consumer Privacy Act (CCPA)

CCPA

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents (“Consumers”). It is a law that gives consumers more control over the personal information that businesses collect about them.

In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority.

The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in Nov. 2020. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to Jan. 2022.

Who does it apply to?

The CCPA will apply to for-profit businesses that collect and control California residents’ (“Consumers”) PI, do business in the state of California, and meet at least one of the below conditions.

  • Buys, sells or shares personal information of 50,000 consumers or devices
  • Annual gross revenue is greater than $25 million
  • Derives 50% of its annual revenue from the sale of its customers’ personal information

CCPA Specific Definitions

  • Consumer — Consumer is any natural person who is a California resident.
  • Processing – Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.
  • Collector – A “collector” is someone who buys, rents, gather, obtain, receive, or access any personal information pertaining to a California resident by any means.
  • Seller – A “seller” is someone who sells, rents, releases, discloses, disseminates, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.

While not all “collectors” are “sellers,” a seller is most likely a collector.

  • Service Provider – Service Provider is a for-profit entity that processes information on behalf of a CCPA-covered business. Note – CCPA differentiates between third parties and service providers.
  • An organization is a “third party” unless
    • it is the “business” that collects PI from consumers, or
    • it enters into a contract with a “business” that requires such organization to follow “service provider”–type restrictions.

Consumer Rights

Right to Know/Access – Right to access specific pieces of personal information the business has collected from consumers and the categories set forth (twice annually, free of charge) 

Right to Deletion – Right to request the business to delete any personal information collected of Consumer. The CPRA also requires businesses to send the request to delete to third parties so that all parties are aware that it must be deleted, subject to some exceptions.

Right to Opt-in and Opt-out – Right to opt-out (i.e. stop selling) of the sale of personal information to third parties and business provide a mandated opt-in for the sale of children’s personal information under the age of 16. Opt-out request can be submitted through “Do Not Sell My Personal Information” button on the homepage of organization’s website.

Right to Opt-in: The CPRA expands this right to include sharing of minor consumer’s personal information as an additional basis requiring affirmative authorization (“opt-in”). The CPRA states that an organization cannot sell or share the personal information of a consumer who is less than 16 years old (“minor”) unless the business has received “opt-in” consent i.e., affirmative authorization for the sale or sharing of that information.

Right to Opt-out: The CPRA expands this right to include sharing of personal information about the consumer to third parties as well. Additionally, the CPRA provides consumers access and opt-out rights with respect to the processing of their personal information that is based on automated decision making, including profiling.

Right to Non-discrimination (also called “Right to Equal Services”) – Right to receive equal services and pricing from business even after consumer exercises their privacy rights.umer Rights

Rights to Disclosure – Right to request business that sell personal information provide information related to specific aspects of the business data practices. The CPRA expands this right to include sharing of personal information as an additional basis for disclosure of the information specified under the CCPA to the consumer upon receipt of a verifiable consumer request.

Exceptions to the opt-out right –

  • If a sale is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims
  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

Rights to Rectification – A consumer has the right to request an organization that maintains inaccurate personal information about the consumer to correct that information, taking into account the nature and purposes of the processing of the information.

Rights to Limit Use and Disclosure of Sensitive Personal Information – Consumers have the right to restrict the usage of their sensitive personal information collected.  The business must also ensure the user has easily visible access to a link on every webpage that makes the invocation of this right more convenient. This must be done by having a prominent “Limit the Use of My Sensitive Personal Information (SPI)” link on their homepage. SPI is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals: a consumer’s social security, driver’s license, state identification card, or passport number, account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, etc.

Under “Right of Know/Access”, a Consumer may request that business disclose the below:

  • The categories of personal information collected
  • Specific pieces of personal information collected
  • The categories of sources from which the business collected personal information
  • The purposes for which the business uses the personal information
  • The categories of third parties with whom the business shares the personal information
  • The categories of information that the business sells or discloses to third parties

Additionally, CCPA also provides consumers with a private right of action and statutory damages, if certain unencrypted and unredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure (refer subsequent slides).

How can Socium Security help?

Socium Security can help companies design security programs to meet the CCPA requirements and provide virtual DPO services to manage the ongoing operational aspects of the requirements.

GDPR

  • General Data Protection Regulation (GDPR)

GDPR

The General Data Protection Regulation (GDPR) was passed by European Parliament in 2016 to establish data privacy and security standards for EU citizens. It is driven by fundamental privacy rights derived from the 1950 European Convention on Human Rights and introduces specific penalties;

  • The less severe infringements could result in a fine of up to €10 million, or 2% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages
  • The more serious infringements occur when the organization denies or disrespects the basic principles at the heart of the GDPR, such as lawfulness, data subject rights, etc. These types of infringements could result in a fine of up to €20 million, or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages

The GDPR follows the following outline:

Data protection principles

  1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  4. Accuracy — You must keep personal data accurate and up to date.
  5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Accountability

The GDPR says data controllers have to be able to demonstrate they are GDPR compliant.

Data Security

The organization must implement appropriate technical and organizational measures, and follow time based data breach reporting.

Data protection by design and default

Data protection principles must be considered in the design of any new product or service.

Data Processing

Specific scenarios are outlined to justify the processing of personal data.

  1. The data subject gave you specific, unambiguous consent to process the data. (e.g. They’ve opted in to your marketing email list.)
  2. Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.)
  3. You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)
  4. You need to process the data to save somebody’s life. (e.g. Well, you’ll probably know when this one applies.)
  5. Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g. You’re a private garbage collection company.)
  6. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

Consent

  • Consent must be “freely given, specific, informed and unambiguous.”
  • Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
  • Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
  • Children under 13 can only give consent with permission from their parent.
  • You need to keep documentary evidence of consent.

Data Protection Officer (DPO)

  1. You are a public authority other than a court acting in a judicial capacity.
  2. Your core activities require you to monitor people systematically and regularly on a large scale. (e.g. Google.)
  3. Your core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10. (e.g. You’re a medical office.)

Data Subject Rights

Listed below are a data subjects’ privacy rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Who does it apply to?

Any organization that processes personal data of an EU citizen or resident, even if the organization itself is not located in the EU.

How can Socium Security help?

Socium Security can help with assessments and program development and managed services supporting GDPR requirements.

Health Insurance Portability and Accountability Act (HIPAA)

  • HIPAA

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was designed for healthcare organizations to safeguard the privacy of electronic health information and was later supported by a Privacy Rule and a Security Rule.

  • HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.  Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).
  • HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).

Who does it apply to?

HIPAA was intended to protect individually identifiable health information, or Protected Health Information (PHI) by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. 

How can Socium Security help?

Socium Security can assist organizations with completing the risk assessment process utilizing the Security Risk Assessment (SRA) tool, and to design and implement a security program based on the requirements of HIPAA.

SOC2 Compliance

  • SOC2 Certification

SOC2 Certification

Service Organization Control (SOC) is a trust-based cybersecurity framework and auditing standard designed by the American Institute of Certified Public Accountants (AICPA) to demonstrate a service provider’s operational controls. The Trust Services Criteria are grouped across the following:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Who does it apply to?

The SOC2 standard is intended to indicate a service provider’s ability to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. The SOC2 control requirements can be validated by a type 1 or type 2 audit report. A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.

How can Socium Security help?

Socium Security can provide assessment and readiness services for organizations that need to meet internal or external stakeholder expectations using the SOC2 audits and reports. We also have partners who can are licensed to conduct the audit and reporting services to complete the cycle.

CIO 2023 Priorities: Cybersecurity

  • CIO 2023 Priorities: Cybersecurity

    The mantra of the year: Trust no one

CIO Journal: CIO 2023 Priorities - Cybersecurity

As companies race to combat cyber threats, cybersecurity will remain a top investment priority for corporate technology executives in 2023. These threats, as well as the associated business risk, have grown in recent years. The FBI’s Internet Crime Complaint Center reported a record 847,376 cyberattack complaints in 2021, with potential losses exceeding $6.9 billion.

The key takeaways from CIO Journal survey:

  • Cybersecurity is a top priority
  • Cybersecurity is an increasingly collaborative effort 
  • Zero-Trust Approach
  • Multi-Factor Authentication

Link to full article