Many Hybridge clients handle confidential data that requires them to operate under various compliance regimes, including SEC, SOC 2, HIPAA, PCI, and ISO27001. While all of these improve security, and probably your customers ask about them from time to time, there are substantial differences between them.
What are these differences, and should you consider the very substantial investments necessary to become compliant with any of these standards?
Firstly, there is a distinction between being “compliant” with these standards and being certified (or registered) as actually complying with the standard. The standards boards responsible for SOC 2 and ISO27001 encourage having an external auditor test your compliance with the standards, whereas the SEC, HIPAA, and PCI standards are more about shielding you from liability (or even jail time for HIPAA) in the event of a breach.
As part of our standard all-inclusive support packages Hybridge includes many of the technical and process capabilities you need to be compliant with any of these, including live hardware inventory, encryption, endpoint security and intrusion detection, and a monthly ticket report showing all access grants and revocations.
Selection, applicability, and implications of any of these regimes should be a series of discussions between your management team, Board of Directors, Hybridge, and other external advisors. Implementation and audit cost typically ranges from tens of thousands to hundreds of thousands of dollars, so the decision is not one to be taken lightly.
At a high level though, here are the main differences between SEC, SOC 2, HIPAA, PCI, and ISO27001:
SEC Registered Investment Adviser, Broker-Dealer, or Private Fund Adviser – required for many of our Venture and Private Equity clients, if you are subject to this you will know and we will already have talked about it.
SOC 2 - focuses on your internal processes that ensure the security, availability, and confidentiality of internal or client data. Compliant processes and policies must be written and implemented. The audit tests the organization’s compliance against those processes. Hybridge is SOC 2-compliant.
HIPAA - required for any health-related information, mostly focuses on who can get access to health data, who looked at it, who changed it. Requires substantial tracking and training of staff and use of apps that are specifically written and configured to be HIPAA-compliant.
PCI - required for handling credit card data in-house. Typically we work with clients to isolate their credit card processing so they don’t have to take the whole organization through PCI.
ISO 27001/2 - more prescriptive than SOC 2, and encompasses all systems and processes essential to a company’s operations. Second only to HIPAA in the “bureaucracy tax”.
We here at Hybridge take your security very seriously, and when it comes to your company’s data and your customer’s data, you can never be too careful or too secure. Cybercrime is a rapidly rising issue and cyber criminals are finding more ways to access your important data.
If you want to get more information on any of these standards, and to discuss whether any are a good fit for your company, feel free to contact us at info@hybridge.com or call us at 888-353-1763.