BSidesSF 2022 - Achieving HITRUST on a Budget (Shobhit Mehta)

our next speaker will be shobet meta showbit is a security compliance lead at ginger an on-demand mental health company here in san francisco today we're going to be talking about achieving high trust on a budget take it away thank you jj hey everyone thank you for coming and thanks to the organizers for having me my name is shobhit and today i am going to speak about achieving high trust on a budget over the last two years i've been working extensively on the hydras project for ginger now headspace health and in those two years i have had the opportunity to work with a number of different companies and ask about their best practices my goal today is to distill all the

learnings and experiences that i had over the last two years and distill those in 10 bullet points for your high-tech journey about me i am currently the security and compliance manager at headspace health former ginger i held grc roles at paypal feudality investments deutsche bank credit swiss and hsbc i did my master's in information assurance in cyber security from north eastern boston and i'm highly interested in healthcare compliance privacy running and writing so if you have similar interests as mine please reach out after the talk and we can have a very good conversation regarding that and this slides will be available after the talk so you don't need to take any pictures unless you really feel need to

do so so what are the goals for today what are we going to speak about in the next 40 to 45 minutes so my goal is to give you some guidance on how to prepare for high test assessment on a budget and in a timely manner i have seen companies spending more than three hundred thousand dollars and is still managed to fail the certifications and we at ginger and many other companies have achieved similar in less than hundred thousand dollars we and we were able to pass this certification so my goal is to give you some guidance on how to reduce your budget what are the open source tools that you can use to keep your budget within hundred

thousand dollars and when i say in a timely manner it's within a year or 11 months like we did at ginger the other goal that i have for the talk today is to give you some guidance on initiating successful organization-wide security programs and cross-functional projects between technical compliance teams from my experience of working with the different teams there is always this dichotomy between the engineering teams and the compliance teams and they don't speak the same language so my goal today is to give you some guidance and bullets which will help you speak the same language and be on the same page for your high test assessment and lastly i would like to give you some

guidance on tools that we used at ginger and headspace health that will help you alleviate some of the budget pain that you will face in your height journey with those goals a couple of assumptions as well now i'm assuming that you have some familiarity with high trust but don't know where to start and what i mean by that is you know how to do this scoping you know how to reach out to the external assessor you already finalized an extra assessor but you don't know where to start to keep the budget down and start the the process of high trust the other assumption that i have is you have limited resource in terms of operational cost and time and like i

mentioned earlier as well one of the goals of today's talk is to keep the budget within hundred thousand dollars and the run time to be less than a year which brings to my third assumption that you have at least a year between now and your high-test external audit if you don't have an year between now and your external high-test audit which is going to be with your assessor it's going to be hard to replicate all the learnings from the from the slides if you have a few quarters between now and your high test assessment you may leverage some of the learnings from this but the ideal scenario would be you are planning your high-terrest external

validated assessment sometime this year in 2023 and lastly ginger headspace health we are always a sas first company and all the learnings that we had were on the same lines so i'm hoping that you also had a similar learnings or you have a similar infrastructure where your infrastructure is heavily relied on sas we at ginger headspace health never almost never go for on-prem services we look for services which are sas based and they can do all the security stuff for us and we can do their due diligence now why high trust why not to speak about stock 2 or why not speak about iso 27001 which are in this similar space and when we were deliberating which

assessment we should be doing we came up with these these three uh pillars for hydras that i think are extremely important to learn and understand in high trust what you can do is you can have multiple authoritative sources so for example if you are a healthcare company like us you can have hipaa in your scope if you are a company based in california you can have ccp in your scope if you are based in the uk as well or you are you need to comply with gdpr you can have gdpr uniscope and similarly if you have a pci if your payment processor you can have pci in your scope so rather than having all these

different certifications that i have seen many companies do what one hydra certification and when you'll be doing your scoping you can have all of these in your regulatory factors and what hytrus does it does all the hard work for you and gives you the controls list of controls that you need to comply with to comply with all these different authoritative sources the second reason that we chose high trust and not iso or soc2 is it goes beyond the ci triad from my fair share of experience is that it's very catered towards the security logical hr controls and it doesn't necessarily speak about the privacy about the regulations about the compliance in different industries so for example

unless until you are going for stock 2 plus hipa there is no way you need to have you you can get certified for hipaa as well so if you want to comply with privacy standards as well then you have to go for iso 27017 which is a different standard altogether so this was the second reason we chose high trust and not the the other standards that are in the industry and last but not the least is scope is paramount in high terrest i have seen some companies who just don't feel the need to have the critical systems in a scope and when you speak so you can say this is outside our of our soa or we are not storing any

confidential information there and you'll be all good you don't need to worry about having those critical systems in a scope but in high trust the first thing that you will do with your excel assessor is to finalize this scope if your external assessor is good they are going to ask you a bunch of questions they are going to help her held workshops with you they are going to ask you how many transitions are you processing what are the number of interfaces that you have how many systems do you have in a scope where are you storing confidential information do you have any offices in the other regions where we want to get compliance with and all of these adds up to the cost and

number of controls in your high test assessment so this is extremely important to discuss with your external assessor that what's the exact scope of your high terrest a bit about ginger's high test journey so i joined ginger in january of 2020 and i took a couple of months to understand the systems and the processes and policies that we had and then from may to april uh we did our gap assessment we took over that quarter to perform the gap assessment ginger and then from may to august we did the gap remediation which is equally important piece of high test in september to december of 2020 we did the audit interviews we asked our external assistant to come and speak to

our different teams we submitted all the evidences and in february of 2021 we were able to receive our final validated certification from high test and a bit about high test metrics as well so like i mentioned earlier high trust is extremely prescriptive and it requires a lot and lot of evidences so when we submitted our height assessment and we did this analysis we realized that we submitted more than 1200 pieces of evidences to high trust we created modified reviewed more than 400 pages of policies and procedures that in turn led to 42 different policies procedures and documentation for for and lastly uh talk about zoom fatigue we held 186 meetings between internalistic and external stakeholders

142 of those meetings were with internal stakeholders and when i say internal stakeholders those are the teams in engineering sales legal compliance privacy and 42 were with external stakeholders so just like you have internal stakeholders you will have to reach out to aws who is your is provider or something similar you will have to have meetings with your external assessor who will be doing the audits you will need to have some meetings with the hires themselves to get the subscription and make sure that you are having the right subscription and number of users for your myself portal and so on so forth so we held 186 meetings uh at the peak of zoom fatigue a few more metrics so

when we started this journey of high trust we were at 180 89 190 people across ginger head special across ginger not head special and 33 of those team members actively participated in certification in some way or the other so effectively one sixth of the entire company was participating in high terrest in some way or the other we implemented seven tools to fill the gaps that we realized in our implementation domain and then we started 10 security projects for our high risk assessment okay enough of the back story jumping before jumping into the talk just wanted to give you this breakdown of police processes tools and documentation so the next 10 points i tried to break

those between processes tools and documentation so that you can delegate accordingly who are responsible for these species if somebody is responsible for processes you can reach out to them and so on so forth so the first bullet that i learned from my conversations and my experiences is you need to perform the gap assessment intimidation yourself when you outsource the gap assessment and remediation you are not only outsourcing this piece of the audit you are also outsourcing the relationships you are going to build with different teams when you will do this exercise with them you're also going to outsource learning all the processes and the tools that they have implemented in their systems and last but not the least you are going to

pay a lot of money to external assessors gap assessment ideally what the companies do or the external assessor do they charge you by the number of main days which is equivalent to the number of controls that you'll have in your scope and if you have a large scope like we had it's going to charge upwards of fifty thousand or sixty thousand dollars for the gap assessment remediation itself so this is my first uh idea to get the the budget in in uh within hundred thousand dollars and keep it timely and how to do that so you can leverage my csf for doing your gap assessment intimidation yourself so if you have a subscription of my csf

what you can do is once you have the scoping done you can download all the controls from my csf and you can have those controls in the google sheet or something similar and what you can do is you can plan your gap assessment remediation accordingly once you do that you can have the google sheet with responsible team efforts number of controls that you have and then have the timelines as well which will become extremely helpful for you when you do your remediation now this is just a quick snapshot of how we conducted the gap assessment at ginger so as you can see in the first column we have all the domains listed and in the

subsequent tabs i have all the controls that we needed and for each of the domains i have the start date and the end date with the timeline and the status for all the domains once you do this you will start speaking to your different teams and ask about the illustrative procedures that you have implemented or that you need to implement and after you are done with the entire size of gap assessment you can have this sheet which will give you what do you need to do so after you did the gap assessment you can have the gap remediation done here also we followed this similar process we had column with all the domains and then for

policies procedures implemented measured and managed how many gaps did we identify once we identified those gaps we had the start date and the end date and then the timelines and the status and this becomes extremely useful when you have to submit your evidences as well because what you're going to do is to download all the controls from my csf with their illustrator procedures and you are going to compare each of those illustrative procedures with the controls that you have implemented if you don't have any of those you can track those in this spreadsheet and that should serve as a good remediation exercise for you if you can take one thing from the entire presentation this should be it

you you need to do the gap assessment remediation yourself to to build those relationships and keep the cost down the second guidance that i have is to make sure that you have high trust part of your information security program now high trust is extremely prescriptive and every single thing that you're doing in your company right now or you want to do in your company right now can be tied back to the high test project if you're implementing any tools please make sure that you are having that tied back to the csf domain if you're starting a new project for your ssd or dsd or stlc whatever it may be make sure that it's tied back to the

give you a couple of examples for annual risk assessment which i believe every company does there's this entire domain domain number 17 in my csf that you can download or you can download along with the prescriptions that what even if you're doing the annual risk assessment what you need to do is just to extend that a bit so that you have the prescriptions from my csf and then you are doing your annual assessment in accordance with the prescriptive guidance from similarly for vendor management i'm pretty sure all companies do this but if you identify that you have some gaps in your vendor management make sure that you're using the vendor uh the prescription from domain number 14 which

is the third party assurance for penetration test uh if you're conducting penetration test or one liberty assessments make sure that you're having the prescriptive guidance from my csf which is domain number seven vulnerability management and just to give you an example uh when we did the pen test or when we started this project titus project we did not have a proper liberty management program so we took the guidance from my csf and we started that entire program for us which helped a lot in our submitting the evidences and so on and lastly for deletion requests if you are processing customer or member deletion requests please make sure that you are taking the guidance from domain

number 19 which is data privacy and you are uh having all the the guidance from from my csf on how to process the deletion request how to track the timelines and everything that can be uh done to cater to such requests all of that is available from high trust now these are just a few examples and i would highly recommend you check the other domains as well i'm pretty sure you are doing all of these things in your company but you are

the third bullet that i have is initiate an organization-wide security awareness program now we all know the security awareness trainings that we do within 30 days of onboarding and then annually thereafter but to have the hydra certification done you have to have a security awareness program and not a training there's there's a major difference between both and if you're a fan fan of isaka just like me this in all their books that executive sponsorship is the most important thing to have the height certification done i'm done but i believe for high trust the individual buy-in and support is more important than the executive sponsorship

pieces of evidences from this different teams so it becomes a lot on their if you have their buy-in so at ginger what we did was we started this program called security insider program with volunteers from each team so rather than we somebody forcing somebody to give us the evidences we wanted them to be a part of the hydras project and we have that um done by is starting this program security insider program and they were an extension of the security team and not a different team who were working on their own we trained them on different security controls we trained them on tracking the shadow i.t apps we train them on becoming application admins for

applications which are not managed by it or security which is a satisfication and they don't support sso your team can just go and start you will have no visibility into that and that's extremely important to know when you're having this this highly relied infrastructure in sas we trained them on role based access control so they were responsible for tracking the role-based uh controls or role-based access for their their so i know we all hate shared passwords but there are some uh websites that you can't just help having shared passwords you facebook if you have a marketing page they don't have a separate account for your admin and then non-admin but how do you manage those passwords

when you have a team of three working on this huge project along with all the different things uh you ask your security insiders you train them you track those in google sheets and similar to make sure that those are all tracked and rotated when required this is something that i learned after we achieved our certification and this is a certification that is uh provided by hypers themselves so i would highly highly recommend get at least one team member hydra ccp certified csf is extremely rich functionality complex to navigate it seems that they are using some some software from the from but there's a lot of functionality and you need to use all this functionality for your sas services or for your

hydrist so if you have infrastructure that is in aws azure or gcp what you can do is you can inherit the controls from them rather than having all those controls implemented by yourself if you have a platform as a service provider such as datica or similar you can implement some of the controls from them rather than implementing all those controls by yourself and what you need to do is to use the inheritance functionality in high trust to or my csf to inherit all those controls the second function is diary so rather than having a lot of email communication with your external assessors on the guidance that they need or the evidence that they need what you can do is you can use this

diary function within mycsf and this will allow you to have these conversations directly with your external assessors on that particular control so rather than having those email exchanges between the between your teams and my csf uh folks and and the external assessors you can have this diary function which will be extremely helpful to reduce that communication and things get things done faster and lastly delegation if you know you have a different privacy team altogether you can delegate the entire domain to them if you have a different vendor management domain you can delegate the entire domain to them and similarly there are a bunch of other domains which are related to wireless security which you can do into uh

dedicated to your itc id teams removable media domains and so on so forth which you can delegate to to different teams so this is extremely important to learn and understand that how how do you make the most of your your my csf tool and lastly you need to understand the scoring rubric there is no way that you will be able to pass the certification if you don't have a good understanding and a good external assessor with this scoring rubric understanding high trust recently changed their scoring rubric they in 2019 2020 they changed the scoring rubric of policies procedures and implemented and if you understand the scoring rubric correctly what you can do is to focus on

things that are most important to you rather than having a lot of efforts done in the managed or measured you can choose to have more efforts on the policy side or more efforts in maturing your procedures or more efforts in just implementing these scores which is the most important domain in high terrest and all of that will be extremely helpful if you understand the the rubric and prisma methodology that high test uses to to mark the control requirements lastly identify the inheritance controls so this is something that we did at ginger for our aws which is ice provider as well as datica which is our voice over ps providers and what you can do is you can leverage

the shared responsibility metrics from high trust themselves so you don't need to figure out what are the controls that i can leverage for my my csf for my my domains hi trust has this extensive guidance with the domain id the control id with the percentage that you can inherit and it's extremely helpful to have all of this done and sorted before even before you start your external assessment for that what we did was we reached out to aws and we had a soft approval even before we started our high test journey and we took the guidance from the shared responsibility metrics we asked our account manager aws account manager to connect us with someone in the

compliance team they connected us with somebody in the compliance team we developed this relationship and it so happened that when we submitted the controls for their soft approval via email and google sheet they came back saying that these are not the right controls and you need to do some more work but since we had the relationship we were able to get that done quickly we were able to get them on the phone and then speak about how we can leverage the the mycsf shared responsibility metrics and all of that helped us a lot in expediting that request now please keep in mind that when you're submitting this inheritance request to to my csf uh in the in the portal

there are hundreds of different companies who are submitting requests at the same time they all want to get their inheritance requests submitted and approved as soon as possible from the ies providers but if you don't have that relationship it may not get prioritized and this might delay your your certification so you want to make sure that you have all those tools identified beforehand you have controls identified beforehand and then you have the soft approvals for each of those this is extremely important as well that you need to include the technical controls in sdlc hi-trust has this policy procedure and implemented and what they do is they have different scores for each and for some reason high trust pays a

lot more attention on the implemented part as i mentioned earlier as well there is always this dichotomy between the the engineering team and the compliance teams and they don't speak the same language and sometimes you may not have some of the tools implemented so you need to make sure that you are having all those tools in your stlc from the very start or as soon as you can there are some tools we don't use all these tools at ginger these are just examples that you can use open source tools like defect dojo for your liberty management if you don't have a project management tool you can use osec which is an open source tool for your hids and

extremely important control for for the for the my csf domain you can use osap for your dst and you can use github dependable for your dependency issues so just a sample of tools i have seen companies using prometheus and grafana for their log management and they were able to use that as a source for their high-test evidence i have seen companies using vasu or snap it for their asset management and log management and they were able to pass the hydra certification from that evidence so tools regardless of what tools you do plan to implement you need to make sure that you are implementing some of the tools now having tools is one thing but please

make sure that you are having all those guidance all these tickets in a project management tool high trust is extremely stringent in the in the evidence that they require and if you have this tickets and fixes in a project management tool it will be extremely easy for you to show these tools or show these tickets to your external assessor and then move from there this one is pretty unique to our infrastructure but i wanted to lay this out as well you have to implement a sas management tool if you are a sas based company like us and you don't have a sas management tool it becomes extremely difficult to cater to those services at one point

across all ginger we had 300 plus applications across the environment of course some of those were marketing applications some of those were just applications for brainstorming when everybody had covered but there will be some applications where you'll be storing your pii and phi and if you don't have a proper understanding of your sas environment it will be extremely difficult to to keep track of all these services the second benefit of having a tool like this is you can do your due diligence a lot more efficiently you can have your stock to reports within the sas management tool you can have the baas in the dpas within that tool you can have business owners uh in

the in the sas management tool for each of the applications you can have the annual reviews for each of those applications and who are the owners and who are the users and so on so forth so if you have a good sas management tool it will alleviate a lot of your pain for achieving high trust and not just fighters but to maintain your i.t of course the sas management tool is useful in annual compliance review monitoring tracking any corrective action plans data deletion and contact termination so if you are terminating a contract with one of the vendors you want to make sure that you are receiving this alert from from the service itself that you

terminated the contract you want them to delete all your data that they hold for you this one again may some sound a bit ubiquitous that everybody does that why do we need to have electronically approved documentation but i have seen companies you lose their marks because they did not have the electronically approved documentation now there are two things when you are talking about approval or document or policy procedure approval one could be just an approval where you have your change table or change history table and you say yup this is the owner this is the reviewer this is the approver and we are all good and that should be sufficient for your stock to or iso

but for high trust they have something called a bake period so if you don't have a proper date on your high test documentation in your policies and procedures they may not consider is a a as a proper policy and procedure for high trust currently the requirement is you have to have your policies and procedures approved electronically before six days of your external validated audit you have to have the implementation done before 90 days of your external validated audit and if you don't have this you might lose some marks in your scoring rubric that you really want to avoid you can use services like docusign hello sign adobe sign and all of that could be could do the job of approval and seal

the document before the bake period of 60-90 days if you take the second slide from this presentation this should be it start with the relevant scope i have seen companies expand their scope so much that they had 100 and 8 800 plus controls in their high test audit and it's extremely difficult to have all those controls done within the first iteration so ask your assessor if your assessor is good they will ask you to to tone down your scope to the most important buildings and infrastructure a couple of examples if you have office in san francisco you have office in new york and your office in london but you your offices in london and new

york they don't have anyone doing any id work they are just marketing people doing their marketing jobs in the london office they are just recording some sound do you really really want to have this in the in the in the scope of your high trust ask your assessor would they be able to have this removed from your scope for the for the time being and you can try to have them in the next iteration but for your first assessment ask your assessor as many questions as you can on turning down the scope the second example is do you need all the applications and business functions in the scope and again like i mentioned earlier at

one point we were using more than 300 plus applications at ginger but we didn't need all those applications to provide services to our customers we are not restoring any pii phi or any confidential information in those services so ask your your assessor can you tone down all those applications and only focus on the the stuff that is most important to you and your customers and members this this should be your first priority after you decide on the scope and lastly ask yourself can you obtain the passing score without testing for measured and managed now high test has this this flexibility that you can choose not to have measured and managed in your scope and what it does um

of the hundred passing points or the hundred total points you can choose policy procedure and implemented and if you feel that you're confident enough in all those three you don't need to have measured and managed in your scope you can just go without them and send then get scored out of those remaining 20 20 and 40 40 uh i don't remember the exact percentage but you can again test it from policy processor implemented and not the measured and managed so ask your assessor but more importantly ask yourself do you feel confident enough to pass the certification without having the measured and managed in a scope and lastly again this might sound exactly like we do this all the time

but again i'll read it here that document every single thing that you've been doing role changes termination requests contractor onboarding and trainings if you don't have an lms make sure that your contractor trainings you are tracking in a google sheet you are asking for these screenshots when they are completing the trainings if you don't have an id system make sure that you are asking for emails when the owners send out the the emails to terminate employees to the it team if you don't have a proper tool to track the role changes make sure that you are asking for email from from the managers whom who is the the manager right now and the lead manager who will

be doing who is going to be the next manager to ask for this role changes emails and notifications and all of these will be extremely important when you will do your your high trust if you are doing any updates to policies if you are evaluating any tools make sure that you have a business case you have a comparison you have the business case approved from somebody in the in the team like a senior manager you have the budget approved for for the tool if you're disposing or wiping any assets make sure that you are at least maintaining a google sheet extremely important to to have this done as well if you are processing deletion requests

for ccp and gdpr make sure that you are tracking all of those as well if you are conducting penetration test vulnerability management make sure that you have all those limitations documented as well all of these will play a huge huge role in your high test evidence collection when you will be in that phase a couple of things like i mentioned maybe if you're attending this conference document this if somebody is acting a new certification document that that will be a part of your workforce development plan control which is like a 50 or 20 odd controls in domain burn so document all of these as well that you attended this talk or you did the the

rsa conference or you have this budget for for employees to do these certifications all of that will come extremely handy and even for your internal training so if you have a training for the incident response make sure that you have the video recordings for that make sure that you have the the email notifications out for that and the calendar invites and then all of that stuff will be extremely handy for different domains and and you need to track each of those okay so so to to summarize uh be proactive in your communication with internal and external stakeholders again when i say internal stakeholders these are your legal teams your compliance teams your privacy teams engineering

marketing hr people ops talent because they will be doing the the jd uh for security folks so make sure that you are proactive in your communication and what's the requirement for for this uh uh hydra certification and then be equally proactive with the external stakeholder expectations as well be extremely proactive in communicating with aws if you are using aws be proactive in communicating with high trust or your external assessor and all of those will pay in leaps and bounds when you'll be in your external audit phase the second summary that i have is agree on the minimum required scope with your external assessor this is extremely important to keep the cost down and more importantly keep the

budget end time down all of those will pay a part in your external assessment when you do the the audits so make sure that you agree on the minimum required scope at least for your first iteration and lastly make use of fighters illustrative procedures for your information security program hytrust has this very very prescriptive procedures of for each of the controls on what they need so make sure that you are using them to the most of your abilities and you are tracking those all the way for each of the each of the bullets and domains this will be helpful for you when you will do the gap assessment and deterioration and move forward from there

and this is the third most important slide from my presentation high trust is not a sprint definitely not a marathon but a 5000 meter relay and i would like to explain that a bit as well why why i chose that statement if you are doing an assessment like stock tour iso you can get it done once and then you don't need to to work on that again and again stock2 is valid for two years and you don't need to have the the or benefit for one year but you don't need to to do a lot of stuff in that if you think of high-test as a marathon but marathon is a one-player game and you cannot win high-test with a

one-player game even if you're willing to run 42 kilometers alone it will not serve the purpose of high trust you have to have the buy-in from different teams because ultimately they will be the ones supporting you at the end of the document at the end of the audit and providing all the evidences and helping you with with the with the uh volunteering for the security team and so on so forth so it's definitely not a marathon you have to have the support from different teams and the last piece is it's a 5000 meter relay so it's not a thousand meter relay you have to put in some efforts it's a 5 000 meter relay where you will have to have

a bunch of players supporting you to win the race you as a team will be working with different teams internally those are some of the participants in your relay you will be working with aws or your ism ps providers they are one participant in your relay you will be speaking to your external assessors who are a whole different entity and they will be they'll be helping you out a lot in the in the journey and then lastly the hikers themselves so if you have a good relationship with high trust they can get you with on the phone and they will solve a lot of your issues like uploading the evidences towards the end or doing the

offline upload and you will get to all of that when you will submit your mycsf final assessment but again i just want to reiterate that this statement that high trust is not a sprint uh definitely not a marathon but a 5000 meter relay so be be prepared for that uh that's all i have my again my contact details are here the grc musics.com i like to write a lot about my work and philosophy and whatever it may be my running adventures and so on so forth uh you can always reach out to me at show with ginger at i o and i can i can share the the excel sheets with you from after update updating so approval and

then my linkedin is show with mata and the slides are available here so bit.ly and the code next to it is case sensitive so the second s is uh a capital s and and you need to make sure that you are putting the right uh code in there that's all i have i'll i'll open it for any questions comments

sure so the question is did we strategically strategically choose not to have policies procedures implemented as well not to have those because of the time or effort constraint and the answer is no for our first iteration we did not have measured and managed so we were heavily relying on those three domains policies procedures and implemented and since we did not use any external assessors for our gap assessment and remediation we wanted to make sure that we make the most of what we are going for and for that if we strategically choose not to have something from policy procedure or implemented it may come adversely on us towards the end that we did not have this and now we are failing

because you did not have that in the beginning so even though we had to put in a lot of effort and implement a lot of tools we did all of that at least for those three domains and like i mentioned we we developed a lot of procedure documentation 42 of those including policies so we we did do a very thorough job on those three domains

they so the official guidance is they changed it changed at least every year that's the official guidance that they have so they are recently coming up with or they recently came up with 9.6 which is a minor iteration and they are planning to release uh version 10 sometime in the in the near future but for the official guidance they do want to have this updated at least on an annual basis uh and they may not necessarily change all the controls themselves they might add some authoritative sources so even if you're on version 9.3 you don't necessarily need to go to version 9.6 if you're not going for those external authenticative sources you can just relay on 9.3 and that should serve the

purpose of your hydrostatic

yeah i have two examples that i want to speak about the first one that we use at ginger so of course of course a disclaimer no no sponsorship or nothing like that but we use blissfully at ginger which is extremely helpful to manage all the services the best part about using blissfully is it scans all the domains or all the emails and then it gives you all like an overview of how many applications do you have and who are the users using those applications how often are you having those applications used who are the users do you need to do any vendor approvals and so on so forth so there are there are a bunch of functionalities and they

recently merged with another company called vendor v e and dr so if you have a type of vendor you can get blissfully for free which is again a good thing the other application that i want to speak about is app omni uh they are pretty good but the only issue that i have with them is they don't do the discovery part so like i mentioned blissfully scans all the gmail emails and then it will give you like a an overview of all the applications but app only cannot do that you have to input the applications manually and once you input the applications then it will cascade to different sectors at what for example slack what

bots do you have on slack for gmail what plugins do you have on gmail but it will not discover the applications itself which i think is extremely important for a sas management tool exactly yep

yeah yeah great question we had a few creative action plans we had around 10 on our procedures so i think that's something that we needed to work on like i mentioned we did not use any external assessor for their guidance or consultancy and that's why we we lacked in in the procedures bit we did not have enough procedures for our disposal of ide and and some of the things that that are pretty common we were doing all of that but we did have some corrective action plans so we had to work on those for our interim assessment so i'm not sure if you're familiar but if you're doing your interim assessment then you have to have all those caps remediated

along with one domain one control from each domain so we had that all of that done in interim and we were able to get the interim letter as well

yeah good assumptions um uh heavily doing fast applications um

yeah so the question is do i have any recommendations for folks who have a lot of on-prem infrastructure they don't have a lot of sas i i believe all the the bullets that i hit will help you in in that scenario as well the only thing is you will need to manage your enthalpy structure infrastructure yourself and if you are willing to do that and you have the capacity to do that i think all of these will be applicable for that as well we when we started this journey of high-tested ginger we were only three folks we might see so and and our one more id person and of course our data privacy officer so we had

very limited understanding and we had very limited time for for with us to to conduct all of that so we did the best we could and uh we were heavily led on sas so we implemented a sas management tool and that served us really well yep

is

yeah yeah so the question is uh some of the language in hyderabad csf is pretty big and is there a way we can try to figure out the exact control requirement behind that vague language and i would say if you have such issues the first source would be to go with your external assessor and then ask them what do they need to get the requirement done the second thing that you can do is to see the source itself so if you go to high test website you can download mycsf and you will be able to see each of the frameworks as well so for this uh control where you say we have network activity session to be closed or after

period of time hiters will give you the exact framework from where they picked the language and you can search for this specific control in that framework itself and see what's the requirement do you really need to have those session closed or this is something that you can work around with your external assessor saying this is not even applicable to us so i i would i would say the first source would be your external assessor and if you're not satisfied with their answer then would you rather want to go to the source itself that which is the which is the uh source for this control within my csf because my csv is nothing but like a

combination of all these these different authoritative sources

yeah yeah that's a great question so the question is there on the high test itself they have different level of controls 11th world level 2 and level 3. and sometimes they they ask you to implement level 3 sometimes they're okay with level 2. and of course i would say speak with your external assessor they should be the ones guiding you on which level of controls that you would need sometimes i can speak for ginger we were extremely good on implemented so even though for controls which only required level two we went for level three implementation and because we did not want to lose any of those marks and we did not even know about that only i did

the uh the myself or ccsf certification myself so for ginger it did not matter to us a lot which level of control it was because we were doing like the best we could to to make sure that we are hitting all the top notches or write noises uh on that control framework

and on behalf and on behalf of the conference and the uh conference uh gift speaker our sponsor maltago we want to give you this token of our appreciation thank you thank you