Page 149 - Cyber Defense eMagazine January 2023
P. 149

SOC 2

            Systems and Organizational Controls 2 (SOC 2), although voluntary, is an important differentiator for any
            SaaS vendor or company managing the data of other organizations. Developed by the American Institute
            of CPAs (AICPA), it’s a service standard that specifies how organizations should manage customer data.

            The standard is based on five Trust Services criteria: security, privacy, availability, processing integrity,
            and confidentiality. Compliance gives your clients the reassurance that your company takes its job of
            managing their data seriously enough to have proven its competence over a prescribed period. For a
            security-conscious business considering a SaaS provider, SOC 2 compliance is a minimum requirement.



            ISO 27001


            This is a global certification for companies looking to implement an information security management
            system. It  goes  beyond  the  SOC  2  information  security  function  to  include  an  operational  security
            management system. International clients might want your company to have ISO 27001 certification, e.
            The good news is if you are complying with SOC 2, you might be already halfway there.



            Legal Requirements

            From the legal viewpoint, you’ll need to implement the privacy regulations that apply to your target market.
            FedRAMP, GDPR/CCPA, and HIPAA all serve specific industries. For example, if your company sells
            products or services in the EU, you’ll need General Data Protection Regulation (GDPR) compliance,
            which is an essential element in EU data privacy laws.

            For  U.S.  companies  operating  in  any  area  of  healthcare,  HIPAA  compliance  is  a  stringent  privacy
            requirement, although you don’t get a certificate to show it. Organizations serving the U.S. government
            must achieve FedRAMP compliance, and if you process sensitive data of California residents, you’ll need
            to comply with the California Consumer Privacy Act or CCPA. This is a law aimed at enhancing privacy
            rights and consumer protection for residents of that state.



            Industry-Specific Regulations

            Various other industries have their own legal demands, such as the payment card industry’s Data Security
            Standard (PCI-DSS). This standard, usually referred to as PCI, is a series of security requirements for
            programs that process and store credit card payment information.



            #2: How much budget have we allocated to cybersecurity for our clients?

            It’s important to be mindful of the costs associated with building secure software. Cybersecurity costs
            money and it's not cheap to implement the needed range of security controls. This being said, your SaaS




            Cyber Defense eMagazine – January 2023 Edition                                                                                                                                                                                                       149
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
   144   145   146   147   148   149   150   151   152   153   154