Frequently asked questions
All common infosec questions, answered in one place – just for you.
Right out of the box – we support SOC 2, ISO 27001, GDPR, ISO 27701, CCPA, HIPAA, PCI DSS, SOC 1, FedRAMP and CMMC. That being said, our cyber asset discovery and risk identification goes very deep and lets you create any mitigation control, even outside of the standard frameworks.
Scrut is a global service provider not limited to organizations from specific countries. We have provided organizations worldwide with the tools to build a more robust information security system and assist them in complying with the standards most eligible for their business requirements.
Scrut has built a platform of products that benefit organizations across all industries to strengthen their security posture and improve their risk management. The automated procedures for identifying surfacing risks using the risk management module, implementing policies to manage the risks with smartGRC, and continuously monitoring the cloud environment to track misconfigurations through the cloud diagnostics tool help organizations maintain overall information security without hindering organizational growth.
While Scrut is a sector agnostic solution, most of our customers are SaaS, Fintech or Health-tech companies, that have a complex cyber asset footprint, and have to continuously remain compliant with multiple standards like ISO 27001, SOC 2, GDPR, NIST, etc.
Scrut CAASM combined with our smartGRC approach the tool fatigue that comes with managing multiple point solutions. You can visit our Products section to see what capabilities we can replace.
Despite popularly being referred to as a “SOC 2 certification,” SOC 2 is actually an attestation. It means that SOC 2 audit report is an attestation to what the auditor has observed in the organization’s security program.
The SOC 2 compliance audit typically consists of the following:
- Gap assessment to identify areas of improvement
- Scope finalization across the Trust Service Criteria (TSC)
- Policy updates, as needed, and training
- Evidence collection across relevant controls
- Drafting of SOC 2 compliance report
SOC 2 applies to any technology service provider or SaaS company that handles or stores customer data. Third-party vendors, other partners, or support organizations that those firms work with should also maintain SOC 2 compliance to ensure the integrity of their data systems and safeguards.
If you are a company looking to scale up by pitching for high-value projects, selling to enterprise customers, or expanding to the US, having SOC 2 compliance can help tip the scales in your favor. It demonstrates adherence to data protection standards to improve your customers’ trust in your product and brand. The SOC 2 compliance communicates to your customers, vendors, and other stakeholders that all data is in safe hands when given to you, which in turn instills confidence in all your potential partnerships.
An independent CPA or a licensed CPA firm auditor can only perform a SOC 2 compliance audit. The AICPA regulates SOC 2 compliance audits.
The following are some of the advantages of SOC 2 compliance:
- A boost in customer trust and loyalty
- The assurance that your information systems, personally identifiable information, and networks are secure
- A competitive advantage over competitors
In simple terms, SOC 1 focuses on financial reporting, whereas SOC 2 focuses on compliance and operations. SOC 3 contains the same information as SOC 2, but SOC 3 is for a general audience, i.e., SOC 2 report is for auditors and specific stakeholders that require detailed information with respect to a company’s infosec controls, whereas SOC 3 can be made available for public consumption.
SOC 2 Type 1 report highlights policies and procedures for ensuring adherence to Trust Service Criteria(TSC) at once, i.e., the auditor will evaluate whether an organization has the right policies, procedures, and controls against the TSCs in scope.
SOC 2 Type 2 report evaluates the control effectiveness of the same policies and procedures during a specified period – often 6-12 months.
SOC 2 compliance is based on Trust Service Criteria (TSCs). The Trust Service Criteria was established by the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA). It is used to evaluate and report the suitability of the design and operating effectiveness of controls relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy.
These 5 Trust Service Criteria act as the evaluation structure of the SOC 2 audit and report. Out of the 5 TSCs, all the SOC 2 reports must include the Security Trust Service Criteria. The other 4 TSCs are optional and can be added to the report at the discretion of management.
While there are no legal penalties for SOC 2 non-compliance, the cost of non-compliance can be seen in indirect costs – mostly in loss of revenue and delayed sales cycles. Moreover, a lack of SOC 2 certification can put the organization at risk of potential data breaches due to a lack of adequate controls, and the costs of a data breach can run into the millions. Furthermore, non-compliance exposes your company to civil lawsuits from dissatisfied customers and loss of business and reputation.
It is an industry standard to conduct a SOC 2 compliance audit annually or when significant changes are made that will impact the controlled environment. This shows commitment to compliance and encourages trust in the service organization’s systems.
The cost of SOC 2 compliance varies depending on your business’s size, infrastructure’s complexity, and the scope for which your organization seeks attestation. As a starting point, costs can range from $20,000 to $80,000.
With time, more organizations are stepping forward and demanding third-party security attestation from compliance companies to ensure that their vendors are trustworthy business partners. Although an organization follows the right information security procedures, it can be challenging to establish proof for the same to potential customers. And so, SOC 2 audit attestation is a widely accepted infosec standard to showcase adherence to best-in-class infosec practices.
However, SOC 2 can require significant effort in developing the right procedures and protocols and enforcing them. In addition, gathering evidence across the organization and the application landscape can be particularly daunting – due to which DevOps and compliance teams spend months getting a successful SOC 2 report.
Scrut Automation reduces your SOC 2 burden by combining the comprehensive automated compliance platform with the most seamless audit experience.
ISO 27001 is an international standard that defines the requirements of an Information Security Management System (ISMS). This standard evolved from the British standard BS 7799-2; it was first published as ISO/IEC 27001:2005 and has since become a leading international standard for information security.
ISO 27001 certification guarantees the customers that you meet global standards for information security. An ISO 27001 certification establishes credibility by building customer trust and confidence in your ability to manage their data securely.
You may scale your product and service quality in accordance with industry-wide, global criteria and procedures with the help of an ISO 27001 certification. Prospects will feel more confident working with the backing of ISO 27001 compliance, which will reflect in the business they undertake and the revenue they generate.
ISO 27002 (2013) is an international standard that defines guidelines for implementing the controls listed in ISO 27001.
Whereas ISO 27001 specifies 114 controls that can be used to reduce security risks. Organizations can obtain ISO 27001 certification but not ISO 27002.
Information Security Management System (ISMS) is a set of policies, procedures, processes, and systems that manage information security risks.
The need for ISO certification is determined by your industry’s compliance requirements. Engineering, manufacturing, healthcare, information technology, construction, and other industries must meet ISO compliance standards.
No. Organizations are the only ones who can be certified with ISO 27001 compliance. This does not preclude a sole proprietorship from being certified.
ISO certification guarantees the customers that you meet global standards for information security. An ISO 27001 certification establishes credibility by building customer trust and confidence in your ability to manage their data securely.
You may scale your product and service quality in accordance with industry-wide, global criteria and procedures with the help of an ISO 27001 certification. Prospects will feel more confident working with the backing of ISO 27001 compliance, which will reflect in the business they undertake and the revenue they generate.
There are several factors that can influence how long it takes. The scope of the certification is critical, which includes things like the organization’s size, the number and complexity of processes, the number of locations, and the number of employees—the maturity of the organization’s existing information security capability and knowledge. The process may be sped up if the organization already has experience with management system standards such as ISO 9001 Quality.
Most expenses are usually not related to hardware or software but to developing and implementing procedures, raising employee awareness and training, certification, and so on. The major cost components for ISO 27001 include:
- External ISO 27001 certified auditor charges
- Salaries for third-party consultants or senior-level staff for ISO 27001 certification process
- Productivity loss costs during ISO 27001 audit process
- Miscellaneous legal fees during the process
- Staff training costs for the ISO 27001 compliance audit
- Costs for implementing security tools and scaling cybersecurity architecture
ISO 27001 is one of businesses’ most widely used data security and information security certifications. Obtaining this certification, on the other hand, is difficult, time-consuming, and perplexing. You must gather all Information Security Management System (ISMS) documents, ensure they are current and aligned, and manage this through a review process involving multiple stakeholders. It can take months or years to overcome these obstacles.
The General Data Protection Regulation is a law of the European Union that came into effect on May 25, 2018, and it mandates that businesses protect personal data and uphold the rights of anyone who resides in the EU to privacy. The regulation outlines eight privacy rights that corporations must support and seven data protection principles that organizations must implement.
Any corporation that offers products or services to consumers in the European Union or the United Kingdom must comply with the GDPR.
The GDPR sets forth certain privacy rights for EU citizens, such as the right to be forgotten and the right to obtain your user consent before sharing your data with a third party. For organizations, the GDPR is a legal framework that covers data governance, data privacy, and data management for any organization with customers in the U.K. or EU, regardless of where the company itself is located.
To guide the enforcement of GDPR, the standard sets forth seven principles. They are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Businesses that do not abide by the General Data Protection Regulation’s (GDPR) rules regarding data processing, data security, and data protection run the risk of incurring hefty fines. The maximum fine for a lesser offense is $11.03 million, or the greater of 2 percent of the company’s annual global revenue or $11.03 million. For more serious offenses, the maximum fine is greater than $22.07 million or 4% of the annual global revenue.
The GDPR applies to all organizations that handle the personal data of EU citizens. Any information about an individual, such as names, email addresses, IP addresses, eye color, political affiliation, and so forth, is referred to as “personal data.” Even if a company is not directly affiliated with the EU, it must abide by the rules if it handles personal data belonging to EU citizens (through tracking on its website, for example).
Yes, but transfers of personal data of EU citizens to locations outside the European Economic Area are strictly governed by GDPR. To enable these transfers, you may need to establish particular legal frameworks or abide by certification frameworks, depending on the situation. You can get help from our team of infosec specialists as you follow the required protocols.
Personal data represents any information related to the data subject that is used to directly or indirectly reveal a person’s identity. On the other hand, sensitive data represents information related to the data subject’s fundamental rights, intimacy, and free will. It could be health records, political opinions, or religious beliefs.
Regardless of where it is located, any organization with clients in the European Union must abide by the GDPR requirements to avoid fines and possible business repercussions.
The law is applicable everywhere, regardless of whether the transaction occurs inside or outside of an EU member state. Companies outside the EU have also been reevaluating their standards to comply with them due to their broad transnational scope of application. Despite the risks of non-compliance, many organizations continue to doubt their own capacity to adhere to the rule. This is particularly due to GDPR’s complexity, which leaves much room for interpretation.
HIPAA was created to safeguard the confidentiality, integrity, and availability of protected health information (PHI). HIPAA compliance is the act of being on par with HIPAA regulations, standards, and implementation specifications, i.e., checking if entities are following HIPAA’s policies to meet its standards for data security and privacy.
HIPAA requires “covered entities” to implement security and data privacy controls to protect patient’s health information from unauthorized access. HIPAA rules apply equally to all types of covered entities, including health plans, health care clearinghouses, and health care providers who are responsible for transmitting healthcare data in a HIPAA-compliant manner. HIPAA compliance is also required for Business Associates who create, access, process, or store PHI.
Information about a person’s past, present, or potential health condition that is gathered from them by a covered entity must be protected because it either identifies the person or there is a good reason to think that it can be used to find, identify, or get in touch with them.
HIPAA is a legal obligation under which all covered entities are mandated to establish security and data privacy controls to protect PHI from unauthorized access. Examples of covered entities required by law to abide by HIPAA regulations include healthcare providers, insurance providers, and clearinghouses. In this context, health care providers include physicians, hospitals, and medical, dental, and vision care facilities.
It can be if the device collects, stores, or transmits PHI (for example, glucose levels associated with a specific person) to a Covered Entity or Business Associate organization. More medical devices, wearables, and IoT devices include built-in microprocessors and WiFi/Bluetooth, allowing them to store PHI data and transmit it to the cloud, where any healthcare entity can access it.
Any business adhering to HIPAA regulations can benefit largely from compliance software. It enables both covered entities and associates to audit their sensitive data and security measures to determine where they are already compliant, where they aren’t, and how to close remaining gaps.
HIPAA violation violates actions such as failing to keep PHI private, inappropriately accessing PHI data, or sending PHI via insecure methods. Individual health information violations can result in fines of up to $250,000 or imprisonment for up to ten years.
While the HIPAA Privacy Rule allows patients to access and manage their own PHI, the HITECH Act expands those rights by enabling patients to obtain electronic copies of their health records, provided that the covered entity keeps those records in that format. Additionally, HITECH forbids businesses from selling PHI unless very specific, limited circumstances apply. This successfully prevented service providers from making money off of treatment suggestions.
The security standards meant for protecting the confidentiality, integrity, and availability of PHI are covered under the HIPAA security rule. It stipulates that covered entities must implement technical safeguards to prevent unauthorized access and related security incidents.
Organizations that create, maintain, or transmit protected health information (PHI) are required by HIPAA to abide by its rules. HIPAA is mandatory, in contrast to SOC 2 and ISO 27001, and non-compliance with the framework can result in hefty fines.
Since HIPAA does not mandate a third-party audit, it is difficult to know your compliance status at any given time. With the help of Scrut Automation’s HIPAA compliance framework, you can maintain compliance easily.
PCI DSS applies to any enterprise that accepts, shares, or stores any cardholder data, regardless of size or number of transactions.
PCI DSS was developed in retort to the increasing number of data breaches involving payment cards. It protects organizations and their customers against payment card fraud and theft.
PCI DSS is a data security standard designed to protect cardholder data Any company that processes, stores, or shares credit card data must comply with PCI DSS. In contrast, ISO 27001 provides a framework for that provides Information Security Management System (ISMS)
Moreover, ISO 27001 certification is optional.
Control objectives and compliance requirements under the PCI DSS are legally enforceable. While not required by law, the Payment Card Security Standards Council has the authority to instruct companies to follow PCI standards if they want to handle credit card transactions and to revoke that access if a company fails to meet the standards’ requirements.
Yes. PCI DSS compliance is required for all businesses that store, process, or transmit payment cardholder data.
Yes. Using a third-party company alone does not exempt a company from PCI DSS compliance. It may reduce their risk exposure and, as a result, the effort required to validate compliance. However, this does not allow them to disregard the PCI DSS.
At their discretion, payment brands may fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will pass this fine on to the merchant and end your relationship or raise transaction fees.
PCI data includes cardholder personal data such as Name, Account number, Card expiration date, CVV or CVC, and authentication data, such as the magnetic stripe, chip, and pin data.
Step 1: Determine your PCI level.
Step 2: Complete a self-assessment questionnaire or have a QSA evaluate you.
Step 3: Build and strengthen an IT security program with Scrut Automation to protect cardholder personal data and meet the guidelines specified in the PCI control objectives.
STEP 4: Apply for a formal report with the PCI Security Standards Council
PCI DSS is an annual certification. But you are required to maintain the security of your environment throughout the year to achieve ongoing certification.
For smaller organizations at levels 2 to 4, PCI DSS compliance costs between $10,000 to $20,000. Whereas for large enterprises, PCI DSS compliance costs between $70,000 to $100,000.
Even if your organization only accepts one payment card annually, it must follow the Payment Card Industry Data Security Standard (PCI DSS).
Imagine what happens when you don’t have time to read 1,800+ pages of documentation to figure out which of PCI DSS’s 300+ security controls apply to your company or when you don’t have the funds to hire consultants to become PCI compliant? Scrut Automation comes in! We streamline the PCI DSS compliance process, allowing you to focus on operations and sales.
The California Consumer Privacy Act (CCPA) is the USA’s first comprehensive privacy law. Effective January 2020, CCPA gives California consumers a variety of privacy rights. Businesses governed by the CCPA will have a number of obligations to their customers, including disclosures, GDPR-like consumer rights, an ‘opt-out’ for certain data transfers, and an ‘opt-in’ requirement for minors.
In contrast to GDPR, the CCPA only applies to residents of the state of California in the United States. The EU’s citizens are covered by the GDPR (EU). Furthermore, while the basic premise of both laws—namely, that people have certain rights over their personal data—is the same, the specific rights that each law provides are somewhat different.
Many of the CCPA’s rights granted to Californians are similar to the GDPR’s rights, including disclosure and consumer requests similar to DSR requests, such as access, deletion, and portability. Organizations that implement CCPA privacy compliance measures typically have stronger security and risk management controls in place to protect themselves from privacy risks.
With the help of the CCPA, organizations must be more accountable to consumers and more transparent regarding the data they collect and how they put it to use. Organizations benefit more from CCPA compliance in terms of competitive advantage. It allows them to reach a broader audience and draw clients who are more likely to favor businesses that respect their privacy. Organizations that establish proper measures for CCPA privacy compliance also showcase better security and risk management in their daily operations.
For-profit organizations must comply with the CCPA if they process the personal data of California residents. The organizations for whom CCPA is mandatory – irrespective of location – can be recognized in one of the following ways:
(A) If they have annual gross revenues of more than $25,000,000
(B) If they buy, receive, sell, or share for commercial purposes the personal data of 50,000 or more consumers, households, or devices each year, or
(C) they get 50% or more of their annual revenues from California residents.
The CCPA privacy law gives residents of California the right to know which data is being collected and how it is being used. The right to have their PI removed and the right to be treated equally when exercising their CCPA privacy rights are also provided to the residents.
Organizations that are governed by the CCPA are required to respect these rights in their everyday operations. Additionally, they must describe their privacy policies in their online privacy statement, which among other things, must describe how the organization gathers and uses individuals’ personal information.
The private right of action under the CCPA is limited to data breaches. Damages under a private right of action can range from $100 to $750 per incident and per consumer. The California Attorney General may also enforce the entire CCPA, with a civil penalty of up to $2,500 per violation or $7,500 per intentional violation.
No. The company need not take a person’s consent before collecting or using their personal information. The concept of CCPA comes into the picture if the company intends to sell information.
PI can be any information about an identified or identifiable individual. There is no distinction between a person’s personal, public, or professional roles. The defined term ‘personal information’ roughly corresponds to the GDPR term ‘personal data.’ However, CCPA does include family and household data.
The CCPA was launched in 2020, and it stipulated organizations uphold a long list of “consumer” legal rights to control the use of California residents’ personal data. Non-compliance with the CCPA can result in regulatory and civil enforcement actions, as well as significant monetary penalties for organizations. The challenges underlying CCPA compliance include limited implementation time, unstructured data management systems, and compliance with multiple state data privacy laws.