Sign up to save your podcasts
Or
Share Troy Fine on Data Security Standards Audits [Podcast]
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Troy Fine on Data Security Standards Audits [Podcast]
By Adam Turteltaub
With enhanced concerns and vigilance over cybersecurity has come an increasing number of yardsticks that organizations much measure themselves against. As Troy Fine, Director, Risk and Compliance at Drata explains, in addition to legal requirements such as the European General Data Protection Regulation (GDPR), HIPAA and the California Consumer Privacy Act (CCPA) two key standards have emerged:
* SOC2: This standard was developed by the accounting body ISACA and is primarily of import to US-based technology companies and startups. Audits are performed by CPA firms on internal controls related to security
* ISO27001: More popular in Europe, it is a certification on information security management systems, examining how risks are identified and mediated and what control plans are in place
To prepare for an audit he recommends first getting a good understanding of the relevant standard so you understand all the elements it requires and what it will take to meet those requirements. Next determine when you will need the certification in hand and start building a timeline backwards to determine when you need to start. Calculate, too, what it will cost in terms of time, people and everything else, including the price of the audit.
How you work with the auditor will depend largely on which audit you pursue. He explains that SOC2 audits allow for more consultation than ISO27001 does.
When hiring an auditor, it can be tempting to use the one with the lowest price. He recommends, though, being careful before going down that route since the auditor is likely to have less time to give.
Be sure also to ensure that the auditor has the necessary expertise to be able to evaluate your technology. Some may not be as well versed on various elements, including cloud services, as they should.
Once the audit begins, compliance teams can be helpful by ensuring that all the data and people the auditor needs are available. And, he advises, be transparent, even about your gaps.
Listen in to learn more about having a successful data security standard audit.
View all episodes
By SCCE
4.8
3434 ratings
By Adam Turteltaub
With enhanced concerns and vigilance over cybersecurity has come an increasing number of yardsticks that organizations much measure themselves against. As Troy Fine, Director, Risk and Compliance at Drata explains, in addition to legal requirements such as the European General Data Protection Regulation (GDPR), HIPAA and the California Consumer Privacy Act (CCPA) two key standards have emerged:
* SOC2: This standard was developed by the accounting body ISACA and is primarily of import to US-based technology companies and startups. Audits are performed by CPA firms on internal controls related to security
* ISO27001: More popular in Europe, it is a certification on information security management systems, examining how risks are identified and mediated and what control plans are in place
To prepare for an audit he recommends first getting a good understanding of the relevant standard so you understand all the elements it requires and what it will take to meet those requirements. Next determine when you will need the certification in hand and start building a timeline backwards to determine when you need to start. Calculate, too, what it will cost in terms of time, people and everything else, including the price of the audit.
How you work with the auditor will depend largely on which audit you pursue. He explains that SOC2 audits allow for more consultation than ISO27001 does.
When hiring an auditor, it can be tempting to use the one with the lowest price. He recommends, though, being careful before going down that route since the auditor is likely to have less time to give.
Be sure also to ensure that the auditor has the necessary expertise to be able to evaluate your technology. Some may not be as well versed on various elements, including cloud services, as they should.
Once the audit begins, compliance teams can be helpful by ensuring that all the data and people the auditor needs are available. And, he advises, be transparent, even about your gaps.
Listen in to learn more about having a successful data security standard audit.
More shows like Compliance Perspectives
View all
The Joe Rogan Experience
229,674 Listeners
Hidden Brain
43,687 Listeners
Wait Wait... Don't Tell Me!
38,950 Listeners
Making Sense with Sam Harris
26,380 Listeners
Pivot
9,724 Listeners
FCPA Compliance Report
20 Listeners
Up First from NPR
56,944 Listeners
Stay Tuned with Preet
32,354 Listeners
Corruption Crime & Compliance
43 Listeners
GZERO World with Ian Bremmer
837 Listeners
Compliance into the Weeds
12 Listeners
Daily Compliance News
7 Listeners
The Ezra Klein Show
16,525 Listeners
On with Kara Swisher
3,538 Listeners
The Mel Robbins Podcast
20,222 Listeners