Securisea Resources

When it comes to ensuring the security and compliance of sensitive data, particularly in industries like healthcare, achieving both SOC 2 and HITRUST certifications can offer substantial advantages. SOC 2 focuses on the Trust Services Criteria, which are essential for safeguarding customer data across any industry, while HITRUST is tailored specifically to the healthcare sector, incorporating a comprehensive set of controls based on various regulations, including HIPAA. 

Compliance with both SOC 2 and HITRUST not only shields organizations from potential data breaches but also demonstrates a strong commitment to information security and privacy, fostering trust. The combined assurance provided by these certifications can help build confidence with clients, reduce the complexity of managing multiple compliance requirements, and ultimately streamline the audit process.

Understanding SOC2

SOC 2, which stands for Service Organization Control 2, outlines standards for companies to securely manage customer data. Created by the American Institute of CPAs (AICPA), SOC 2 is crucial for organizations providing SaaS (Software as a Service) and cloud services.

The framework is built around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

• Security ensures data protection against unauthorized access.
• Availability ensures that systems are operational and accessible when needed.
• Processing Integrity ensures data processing is complete, accurate, and authorized.
• Confidentiality protects sensitive information.
• Privacy governs the collection, use, retention, and disposal of personal information according to an organization's privacy policy and applicable laws.

SOC2 has two types of audit reports:

• Type I assesses the design of internal controls at a specific point in time.
• Type II evaluates both the design and the operational effectiveness of controls over a period of time. 

Understanding HITRUST

HITRUST, which stands for Health Information Trust Alliance, is a comprehensive cybersecurity framework that is used by any organization that collects, stores, processes, or transmits sensitive data. Created by the American Institute of CPAs (AICPA), HITRUST is used to demonstrate compliance with various industry regulations, such as HIPAA, GDPR, and SOC 2. 

The HITRUST CSF is the leading security framework in the healthcare sector, with 81 percent of hospitals and 80 percent of health plans integrating it into their operations. Whether used as a foundational resource for best practices or as the core of their information protection strategies, the HITRUST CSF has become a key component for ensuring security across the industry.

There are three types of HITRUST assessments:

• e1 Assessment (Enhanced Assessment) is a one-year assessment that focuses on cybersecurity essentials and is intended for organizations with low risk profiles or limited complexity. It has 44 control requirements and is good for startups.
• i1 Assessment (Initial Assessment) is a one-year assessment that focuses on leading security practices and is intended for organizations with established information security programs. It's considered easier than the r2 assessment.
• r2 Assessment (Repeatable Assessment) is a two-year assessment that focuses on expanded practices and is risk-based. It can have up to 1,000 requirements based on an organization's risk factors, which can include general, organizational, geographic, technical, and regulatory factors. The r2 assessment is considered more work than the i1 assessment, but it can help organizations achieve a higher level of risk management maturity. 

How is HITRUST different from HIPAA?

The main difference between HITRUST and HIPAA is that HIPAA is a U.S. law that sets standards for protecting patient health information in the health industry. HITRUST is a global framework for managing security and risk, and includes a Common Security Framework (CSF) that helps organizations comply with regulations such as HIPAA. 

Benefits of SOC2 + HITRUST 

In the past, organizations requiring both SOC 2 and HITRUST certification reports had no choice but to undergo two separate assessments. This approach led to increased costs for businesses striving to comply with both the Trust Services Criteria and HITRUST CSF standards. Recognizing the inefficiency, the American Institute of Certified Public Accountants (AICPA) collaborated with HITRUST Alliance to streamline the process. The result is the SOC 2 + HITRUST program, a unified reporting framework that allows service organizations to demonstrate compliance with both sets of requirements in a single, consolidated report.

Securisea Simplifies SOC2 + HITRUST Compliance

The complementary nature of SOC 2 + HITRUST allows for a unified approach to compliance, benefiting organizations in the healthcare sector or those working with healthcare data. Securisea’s integrated approach to security and compliance translates into real savings of both time and money for our clients, helping them reach their goal of achieving and maintaining SOC 2 and HITRUST compliance more quickly. As a trusted advisor, Securisea will work alongside you to understand your business, and help you meet your security and compliance objectives.

Securisea is one of only a handful of audit firms in the world certified to provide PCI DSS, FedRamp/StateRAMP 3PAO, HITRUST & HIPAA, ISO27001 and 27701, SOC2, SOC1, and CSA STAR assessments all under one roof.

‍

Securisea has worked with Conquer on several audits over the years, starting with a SOC2 Type 1 Audit followed by a SOC2 Type 2 audit. 

Like many first time SOC clients, Conquer had several large new business prospects that were close to closing, but required a SOC 2 report as part of their due diligence. Conquer initially selected Securisea after building an internal short list of 6 security vendors they wanted to interview to see which company was the right fit. According to Ian Skebba, Chief Technology Officer at Conquer, “We were looking for that partner that would make us a priority and could help us accomplish our goals quickly, but also was cost-effective for us based on who we are as a company, and our size at the time.” Since this was Conquer’s first foray into a SOC 2 engagement, they needed a company that could do more than just execute a set of control tests but also look at the controls they had designed within their specific technical context.

(Annapolis, MD, August 5, 2024) Securisea, a leading provider of security and compliance services, announced today that they have been re-elected to serve on the PCI Security Standards Council’s Global Executive Assessor Roundtable (GEAR). 

Securisea is one of 33 organizations to join the PCI Security Standards Council’s Global Executive Assessor Roundtable in its efforts to secure payment data globally. As strategic partners, Roundtable members bring industry, geographical and technical insight to PCI SSC plans and projects on behalf of the assessor community. 

“We’re proud to have our contributions recognized and to continue our service on the GEAR Roundtable,” said Josh Daymont, CEO of Securisea. “The threats to payment security continue to evolve at a rapid pace, and as a global assessor on the front lines, we appreciate the opportunity to use our experience and expertise to shape the future of PCI compliance standards.”

“We need voices from across the assessor community to help ensure we are providing the best standards and programs to support the industry in protecting against today’s modern cybercriminal”, said Gina Gobeyn, Executive Director of PCI SSC. “We’re pleased to have Securisea on the PCI SSC Global Executive Roundtable to provide critical insights and help us build on the great efforts that are already being done to increase payment security globally.”

Securisea is one of only a handful of audit firms in the world certified to provide PCI DSS, FedRamp/StateRAMP 3PAO, HITRUST & HIPAA, ISO27001 and 27701, SOC2, SOC1, and CSA STAR  assessments all under one roof. Their integrated compliance approach allows clients to leverage existing security controls from other frameworks directly into each engagement, reducing overhead and work duplication. 

Founded in 2006, Securisea provides audit support for organizations of all sizes, from startups to some of the world’s most security-minded technology companies. Their customers rely on them to continue to evolve to meet an ever-changing security and compliance landscape, while maintaining a high level of expertise, responsiveness, and customer service to every unique engagement. 

About Securisea
Securisea is a leading provider of security and compliance services, helping companies secure their sensitive data and systems. With a personalized approach to customer service and a deep understanding of the unique needs of large enterprise companies, Securisea has built a reputation for delivering reliable, effective, and efficient security and compliance solutions. For more information, please visit http://www.securisea.com.

About the PCI Security Standards Council

The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible, and effective data security standards and programs that help businesses detect, mitigate, and prevent cyberattacks and breaches. 

Contact Information:
Josh Daymont, CEO
sales@securisea.com
1 877-563-4230

‍

‍

The primary reason an organization decides it’s necessary to start the ISO 27001 process is simple: their customers are asking for it, and refuse to do business without it. 

Having an ISO27001 certification demonstrates to your customers that your organization is committed to maintaining high standards of information security. Here are some key points it conveys:

1. Trust and Confidence: It reassures customers that their data is handled securely and is protected against breaches, unauthorized access, and other security threats.
2. Compliance: It indicates that your organization meets international standards for information security management, which can be crucial for regulatory compliance and contractual obligations.
3. Risk Management: It shows that your organization has a systematic approach to managing sensitive company and customer information, including risk assessment and mitigation strategies.
4. Operational Excellence: It highlights that your organization follows best practices in information security, which can improve efficiency and reduce the risk of data-related incidents.
5. Competitive Advantage: It sets your organization apart from competitors who may not have such certifications, potentially attracting more security-conscious customers.
6. Continuous Improvement: It signifies that your organization is committed to continuous improvement in information security practices, as ISO27001 requires regular reviews and updates to the security management system.

Overall, having an ISO27001 certification can enhance your organization's reputation, build customer trust, and open up new business opportunities. 

Preparing for An Internal ISO 27001 Audit

An internal ISO 27001 audit is a process that evaluates an organization’s information security management system (ISMS) against the requirements of the ISO 27001 standard. This audit is conducted by internal staff with the assistance of an external auditor like Securisea to ensure compliance, identify areas for improvement, and prepare for external certification audits. 

Steps Involved in an Internal ISO 27001 Audit:

1. Planning: Define the scope, objectives, and criteria of the audit. Develop an audit plan and schedule.
2. Documentation Review: Examine the ISMS documentation to ensure it meets ISO 27001 requirements.
3. Conducting the Audit: Perform the audit through interviews, observations, and reviewing records and processes.
4. Reporting: Document the findings, including non-conformities, observations, and opportunities for improvement.
5. Corrective Actions: Implement corrective actions to address non-conformities and improve the ISMS.
6. Follow-Up: Verify the effectiveness of corrective actions and ensure ongoing compliance.

How Securisea Can Help

Navigating the intricacies of an ISO 27001 internal audit can be challenging. This is where Securisea comes in. Our team of experienced professionals is dedicated to helping organizations achieve and maintain ISO 27001 certification with ease and confidence.

Here’s how Securisea can assist:

1. Expert Guidance: Our consultants have extensive experience with ISO 27001 standards and can provide expert guidance throughout the internal audit process. From planning to execution, we ensure that every step is conducted thoroughly and efficiently.
2. Comprehensive Audit Services: Securisea offers comprehensive internal audit services tailored to your organization’s specific needs. We assess your ISMS against ISO 27001 standards, identify areas of non-conformity, and provide actionable recommendations for improvement.
3. Training and Education: We believe in empowering your team with the knowledge and skills necessary to maintain ISO 27001 compliance. Securisea provides training sessions and workshops to educate staff on information security management best practices.
4. Continuous Support: Achieving ISO 27001 certification is just the beginning. Securisea offers ongoing support to help you maintain compliance and continuously improve your ISMS. Our team is always available to answer questions, provide guidance, and assist with any challenges that arise.
5. Tailored Solutions: Every organization is unique, as are its information security needs. Securisea takes a personalized approach, tailoring our services to align with your specific requirements and business objectives.

Final Thoughts:

An ISO 27001 internal audit is a critical component of maintaining a robust and compliant information security management system. With Securisea's expert assistance, your organization can navigate the complexities of this process with confidence. Our comprehensive audit services, expert guidance, and continuous support ensure that your ISMS not only meets ISO 27001 standards but also evolves to address emerging security threats and challenges.

Ready to take the next step in securing your organization’s information assets? Contact Securisea today and let us help you achieve ISO 27001 certification and maintain the highest standards of information security.

‍

Systems East Inc. reached out to Securisea based on a referral from their hosting provider. Although Systems East had an exceptionally mature PCI compliance program, their existing assessor company had become disorganized as it had grown, leading to their auditors repeatedly asking for the same evidence multiple times which in turn delays completion of the entire engagement. Systems East was working with one of the largest PCI compliance advisors in the country, had gone through the entire process for PCI, submitted evidence, and were left waiting in the cold for weeks. After multiple calls, inquiries, with no reply - Systems East learned that their QSA had been pulled from the project, assigned to a much larger client where they were needed, and there was no timeline for completing their certification.

‍

Systems East selected Securisea as their PCI compliance partner in response to their existing hosting provider’s strong recommendation. According to Peter Rogati, “Securisea came in right away and understood our business, our past experiences, our needs, and helped us move forward.”

‍

According to Rogati, other firms in the past had presented a menu of a la carte services for them to choose from, and everything had a cost. There was little guidance, it was “tell us what you want and we’ll sell it to you”. With Securisea, Systems East found a partner that took the time to listen to their wants, their motivations, and then advise them on the best path forward. Securisea was able to guide Systems East through the audit process, while also keeping them from doing things they really didn’t need to do. 

‍

At Securisea we are often asked to combine the work of two or more of the many audits we are licensed to perform in order to reduce, if not eliminate, repeat work of preparing for and completing audit evidence collection. While we are highly effective at multitasking across a range of assurance engagements, one of the most direct ways of achieving this is the SOC2+ audit, which allows us to issue under our CPA license a combined audit or SOC 2 as well as any additional engagement type. The most common case of this by far is the SOC2+HIPAA engagement.

SOC 2 and HIPAA are two critical regulatory frameworks that provide detailed guidelines for securing and protecting customer and patient data. Compliance with both SOC 2 and HIPAA not only shields organizations from potential data breaches, but also demonstrates a strong commitment to information security and privacy, fostering trust.

Understanding SOC 2

SOC 2, which stands for Service Organization Control 2, outlines standards for companies to securely manage customer data. Created by the American Institute of CPAs (AICPA), SOC 2 is crucial for organizations providing SaaS (Software as a Service) and cloud services.

The framework is built around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

• Security ensures data protection against unauthorized access.
• Availability ensures that systems are operational and accessible when needed.
• Processing Integrity ensures data processing is complete, accurate, and authorized.
• Confidentiality protects sensitive information.
• Privacy governs the collection, use, retention, and disposal of personal information according to an organization’s privacy policy and applicable laws.

SOC 2 has two types of audit reports:

• Type I assesses the design of internal controls at a specific point in time.
• Type II evaluates both the design and operational effectiveness of controls over a period.

Understanding HIPAA

HIPAA, or the Health Insurance Portability and Accountability Act, is a US federal law that sets standards for protecting sensitive patient data. Enacted in 1996, its main goal is to protect the confidentiality and integrity of patient health information, also known as PHI (Protected Health Information).

HIPAA consists of several rules:

• The Privacy Rule sets standards for using and disclosing PHI.
• The Security Rule addresses electronic PHI (ePHI) and requires administrative, physical, and technical safeguards to ensure its security.
• The Breach Notification Rule mandates reporting of any data breaches involving PHI.

Compliance with HIPAA is mandatory for covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates.

Benefits of SOC 2 + HIPAA Compliance

Achieving compliance with both SOC 2 and HIPAA offers numerous benefits for healthcare organizations handling sensitive patient data.

1. Enhanced Security Controls: Adhering to both regulations ensures robust security measures, reducing the risk of data breaches and associated financial and reputational damage.
2. Customer Trust: Compliance demonstrates a commitment to protecting customer data, enhancing trust with current customers and attracting new ones.
3. Complementary Frameworks: SOC 2’s Trust Services Criteria align with HIPAA’s Security Rule, making compliance efforts more efficient and effective.

Securisea Simplifies SOC 2 + HIPAA Compliance

The complementary nature of SOC 2 and HIPAA allows for a unified approach to compliance, benefiting organizations in the healthcare sector or those working with healthcare data.

Securisea’s integrated approach to security and compliance translates into real savings of both time and money for our clients, helping them reach their goal of achieving and maintaining SOC 2 and HIPAA compliance more quickly. 

As a trusted advisor, Securisea will work alongside you to understand your business, and help you meet your security and compliance objectives. 

FAQs

Does SOC 2 cover HIPAA compliance?

While SOC 2 does not specifically cover HIPAA, a SOC 2 report can include controls relevant to HIPAA, particularly in security and privacy areas. SOC 2 compliance can complement HIPAA efforts by ensuring robust security practices, but it does not replace a comprehensive HIPAA compliance assessment.

How does SOC 2 map to HIPAA?

SOC 2’s security and privacy principles align with HIPAA’s Security and Privacy Rules. For example:

• SOC 2’s Security Principle aligns with HIPAA’s administrative, physical, and technical safeguards for ePHI.
• SOC 2’s Privacy Principle can be adapted to meet HIPAA’s standards for PHI use, disclosure, and protection.

What is the difference between HITRUST and SOC 2?

HITRUST is designed for the healthcare industry, providing a framework for HIPAA compliance, while SOC 2 applies to any service provider managing customer data. HITRUST certification demonstrates compliance with healthcare-specific requirements, whereas SOC 2 ensures adherence to general data management standards.

By understanding and implementing both SOC 2 and HIPAA frameworks, organizations can significantly enhance their data security and privacy measures, ensuring comprehensive protection for sensitive information.