Security operations · 4 MIN READ · BRUCE POTTER · JUL 20, 2021 · TAGS: MDR
So someone told you that you need to make sure your tech, privacy and security policies are “compliant.” And that you need your managed detection and response (MDR) provider to support your compliance program.
But what does that mean in practice?
There are things you need to do to make sure your tech and data are secure and following security best practices. You’ve done those things, and you’ve checked your work so that if anyone wants to verify you’re doing the right things, you can confidently say you’ve done your due diligence. That’s really what’s at the core of any compliance initiative, regardless if it’s regulatory compliance, industry compliance or just adhering to internal policies.
Any good MDR provider should support you in those efforts (we’ll get into how they should specifically do that in a moment). You don’t need your security provider to be a compliance liability.
What types of compliance impact a security program?
Compliance comes in all shapes and sizes. For example, your boss or your board of directors might ask you to make sure your security program is compliant with:
- Internal company policies
- Industry regulations
- Standards frameworks
- Government regulations
- Laws and treaties
- Customer audits
For some compliance checks, you may go through an audit. Audits are for compliance frameworks where:
- Some policy/regulation oversight group has blessed specific audit companies to analyze how well you are complying with the framework;
- The compliance framework is standardized, so one auditor would likely find the same results as any other auditor; and
- The audit often results in some sort of certification saying you’re compliant (wo0t!) – PCI DSS, ISO 27001 / 27701 and SOC 2 certifications are all pretty common.
For other policies and regulations, you may go through a compliance assessment rather than an audit. For these regulations, there’s no oversight group that sets out a strict framework to follow, so companies have to take their best guess as to whether or not they’re compliant based on what they know about the policy or regulation requirements.
One common example is GDPR – there’s no official audit available, so your company may hire a third-party assessor to determine if your tech and policies are in line with the requirements to keep personal data secure.
Compliance = things you need to do to keep your data and tech secure + someone verifying you’ve done those things
How Expel supports your compliance goals
Lots of our customers here at Expel have various compliance standards they need to follow.
Here’s a peek at how we support some of the most common compliance frameworks, and how we think any MDR you choose to work with should support you in meeting your compliance goals.
- SOC2: Expel is SOC2 Type 2 certified, meaning we’ve demonstrated that we safely hold and process our customers’ data. This is a good initial security certification to look for when you’re evaluating MDRs.
- ISO 27001 / 27701: Expel is also certified for these international cybersecurity and privacy standards, which are even more detailed and process-oriented than SOC2 (read: we care a lot about security!) If you have a complex security situation or strict industry security requirements, these certifications can help indicate that your MDR takes their security equally seriously.
- GDPR: There’s no official GDPR audit available (yet), but we encourage our customers to work with a third party to perform their own independent GDPR assessment. We did the same here at Expel (feel free to ask us about it). If you’re looking to comply with GDPR, your MDR should also meet GDPR-like requirements for handling your data.
- NIST 800-171: Like GDPR, there’s no official audit available right now for this standard to protect government unclassified information. At Expel, we did an internal self-assessment and are working with a third party for an independent assessment – we’d encourage you to do the same. Working with Expel or other MDR can also help you fulfill a number of the standard’s requirements regarding monitoring, alerting, reporting and responding to incidents.
- CMMC (Cybersecurity Maturity Model Certification): This is an upcoming standard that’s being included in a number of Department of Defense contracts for detailed, risk-based security. Since CMMC isn’t fully rolled out, there aren’t any auditors (yet) – but you can do what we did and have a third party perform an independent assessment to prepare for the rollout (Questions? Ask us!)
- PCI DSS: A designated PCI DSS auditor can analyze your compliance with this payment card data security standard. Expel can (and your MDR should) support your compliance by providing real time analysis and response to security alerts.
- HIPAA: Like for PCI DSS, Expel can support your HIPAA compliance by analyzing and responding to your security alerts in real time.
To sum it up, your MDR should be able to support your compliance goals in three ways:
- They should help you meet the requirements for your desired compliance frameworks so you can get those certifications and meet your security goals (#winning). For example – going after PCI and need to ensure security alerts are being investigated? Have a security operations-related audit finding that you need to fix? Your MDR should be able to help.
- Your MDR should be able to demonstrate their compliance with various security/privacy standards to keep your data safe as their customer.
- Your MDR should help you maintain your existing compliance achievements. You’re GDPR compliant? Great! Your MDR should make sure their work won’t change that.
Compliance may feel overwhelming, but think of your MDR as your compliance partner – holding hands to dive into the pool of NIST frameworks and ISO certifications together. Your MDR can help you make sure you’ve got the right things in place to keep your tech and data secure, helping you breathe a little easier when it’s time for your next audit or assessment.