The importance of Compliance in Cybersecurity like HITRUST are newer, focused on cloud systems, and

much
Incidents of cloud systems having their data stolen,
held hostage, leaked or destroyed are accelerating.
2019 data breaches include:

• Quest Diagnostics: medical, financial, and personal

information of 11.9 million subscribers

• Capital One: credit card information for 100 million

subscribers

• Zynga: Personal information and Facebook IDs for 218

million subscribers

In addition to these large incidents, smaller incidents

severely impact thousands of cloud systems every year.

As a result, almost all organizations understand the
importance of implementing robust cybersecurity for their
cloud systems. Most organizations make sure they have
good access controls, antimalware, intrusion prevention,
monitoring, logging, and alert systems. Many organizations
have the extensive QA testing procedures required to keep
their systems continually updated with the latest patches.
Some organizations continually train their employees so
that as cloud technologies rapidly evolve, their staff
understands how security protections must evolve with
them. A few organizations take cybersecurity a step further
and focus on compliance.
Compliance??? Isn’t that just paperwork?
Compliance to a cybersecurity standard means successfully
passing that standard’s annual third-party security audit.
For an organization’s IT department, a focus on compliance
amounts to an understanding that no matter how talented
their security team may be, their organization’s
cybersecurity will benefit from the close scrutiny of
thirdparty experts. For an organization’s sales teams, the
certification or authorization that comes with passing an
audit is a key element in assuring their customers that their
cloud systems are protected. Don’t take our word for it –
take the word of the third-party auditor.
more prescriptive. Some standards like FedRAMP are still
more prescriptive and involve more oversight. Customers
that understand these differences place higher value on
cloud systems that are compliant with more prescriptive
cybersecurity standards.
Here’s an example. Multifactor authentication (MFA) is one
of the best protections against a wide range of
cybersecurity attack vectors. What do ISO 27001, HITRUST,
and FedRAMP require regarding MFA? ISO 27001: No
requirement. HITRUST (level 2): “Multi-factor
authentication methods are used in accordance with
organizational policy”. FedRAMP: “The information system
implements multi-factor authentication for network access
to privileged and non-privileged accounts.” In other words:
no requirement vs. at your discretion vs. required for all
users. So compliance to a higher standard can give an
organization’s customers an assurance of a higher level of
cybersecurity.

But not all compliance standards are created equal. Some

compliance standards like ISO 27001 have been around for
many years and apply to both on-premises and cloud
systems, so they are not as prescriptive. Other standards

Here’s another example. Audits for all cybersecurity
standards include reviewing an organization’s policies and
procedures along with evidence that they have been
implemented. But unlike ISO 27001 and HITRUST, FedRAMP
goes beyond this by requiring auditors to also perform
vulnerability scanning and penetration testing (ethical
hacking) on the cloud system. In addition, FedRAMP
“continuous monitoring” requires the organization to have
monthly meetings with a government oversight agency to
present results of the cloud system’s latest vulnerability
scans along with plans for how those vulnerabilities will be
remediated in the required timeframes.
In summary, cloud cybersecurity is crucial. Most
organizations understand this. But leading organizations
also understand that certified compliance to a
cybersecurity standard is crucial as well. Cybersecurity
audits lead to improvements in the security of an
organization’s cloud systems and the resulting certifications
provide assurance to the organization’s customers that the
cloud systems have implemented a known level of security.
For sophisticated customers, that assurance is stronger if
the certified compliance is to a higher standard.
Project Hosts, Inc | 877-659-6055 | projecthosts.com |
sales@projecthosts.com