SecOps compliance standards for expanding Tech Companies

The role of Security Operations (SecOps, aka SecDevOps) has taken on more responsibility in the last few years. This is partly due to the number of companies stepping away from self-server management and migrating to cloud operations. Whereas the role was technically specific previously regarding server and device security, it has expanded to include operational activities, audit, and organizational governance. With the inclusion of SRE roles (Site Reliability Engineers), this team now covers operational security of the web applications the company offers to customers as products and services. 

Three common compliance standards are briefly outlined below. 

ISO27001

Though sometimes mistaken for an IT standard, ISO27001 is a worldwide Information Security standard providing a framework and compliance assessment via an Information Security Management System (ISMS). It is popular in Europe, Asia, Australasia, and the UK.

The standard covers more than security as business operations, strategy, finance operational and security are managed within the standard. It is intentionally aimed at all company types, not just tech companies, though it is particularly suited to Telecoms, IT and Financial companies.

Reaching accreditation in ISO27001, and in some circumstances, ISO9001 is often a requirement of Angel investors and/or major international partners before they will work with smaller tech companies. This is because reaching the standard via an external audit is a proven way to assure consistency and security in the business at the expense of the fund seeker, rather than as a cost to the fund provider.

Health Insurance Portability and Accountability Act 

Some compliance standards are best suited to specific geographies. HIPPA compliance regulations are designed to protect patients’ healthcare information. The standard requires US companies who deal with PHI (protected health information) to have physical, network, and process security measures in place and prove they are being followed.

Any individual or company providing treatment, payment, and operations in the field of healthcare are subject to HIPAA compliance rules. Business associates, especially those with access to patient information and/or supplying support in treatment, operations, or payments, must also achieve HIPAA compliance. Related entities, for example sub-contractors, are additionally bound by HIPAA.

SOC 2

Similar to ISO 27001, SOC 2 is an international security standard. However, it is most popular with US companies. Often global companies who wish to trade in the US will need to provide compliance and certification via SOC 2 accreditation which ensures any partners or acquiring companies that the target company meets the specific security standards.

SOC 2 is a technical audit requiring companies to document, establish and follow strict information security policies and procedures based on the five principals of: Security, Availability, Process Integrity, Confidentiality, and Privacy.

SOC 2 comes in two flavors. SOC2 Type 1 certification is an identical standard, assessed as a snapshot in time, while SOC2 Type 2 is an ongoing assessment over a minimum period of 9 to 12 months, depending on the specific circumstances of the business.

Note:  This content is of a general nature and should not be considered as legal advice. Further professional advice should be taken to ensure any actions are compliant with relevant regulations.