SOC2
How long does it take (in hours) for an org to get SOC2 ready for the first time in Vanta?
40 hours (30 for Startups)
How long is ISO 27001 valid for?
3 years
T/F: HIPAA requires a third party audit
False; it's self-attested.
T/F: Vanta is currently FedRAMP 20x Low Authorized.
True!
What does GRC stand for?
Governance, Risk Management, and Compliance.
Does it take longer to get Type 1 ready, or Type 2 ready, or do they take the same amount of time to prep for?
The same!
However, the audit observation window is longer for Type 2 (3-6 months vs just 1 day)
How long does it take (in hours) for an org to get ISO27001 ready for the first time in Vanta?
40-80 hours (40-60 for Startups)
T/F: GDPR only applies to EU-based sites.
False. GDPR regulations follow the user, not the company. Even if your org is not based in the EU, if EU-based users can access your site and you’re collecting or processing data from them, you’re required by law to comply with GDPR.
This framework outlines standards for handling credit cardholder information.
PCI DSS
What is the most common way an organization will evaluate another organization's security program?
Security questionnaires
T/F: A pen test is a hard requirement for SOC2.
False, but it is often recommended.
What is the overlap between SOC2 and ISO27001 (%)?
70-80% - technical controls are similar but remaining work is more administrative (policies, documents, more in-depth risk assessment)
Name some examples of "personal information" GDPR is in place to protect
name and date of birth, as well as web data like email address, IP address and cookies, payment information, political stances, demographic information, health information, and more. It even affects user-generated content like photos users post.
This framework centralizes and allows our customers to attest to privacy regulations in CA, CO, CT, UT, and VA and any new state privacy regulations as they’re introduced.
USDP
What are some ways Vanta helps companies who are already compliant?
- automated evidence collection & cross-control mapping for faster & stronger compliance maintenance YOY
- centralize & unify disparate security & compliance processes into a single source of truth
- continuous monitoring of controls 24/7 and real-time visibility into their risks/gaps
- additional automated workflows for what used to be manual (VRM, QA, & more)
- demonstration of security and compliance posture via a Trust Center
T/F: Vanta promises zero exceptions on your SOC2 audit.
False. No third party platform (including Vanta) can promise this!
Describe surveillance audits and when they take place
Surveillance audits take place in Year 2 and Year 3. The auditor picks 1/3 of your controls to audit to make sure you’re staying in compliance (like a mini audit).
What does ePHI stand for (as related to HIPAA compliance)? What are some examples?
electronic Protected Health Information. examples: a patient's medical records, billing information, or health insurance details.
What AI-related frameworks does Vanta support today? (3)
NIST AI RMF (Risk Management Framework)
ISO 42001 AIMS (AI Management System)
EU AI Act
What is a "control"?
A compliance control is a process, policy, or procedure implemented by an org to ensure adhere to compliance regulations/standards. Controls are designed to help safeguard an org and minimize risk.
TLDR: compliance requirements
What are the 5 Trust Service Criteria related to a SOC2?
BONUS: Which ones can Vanta support today?
Security, Availability, Confidentiality, Processing Integrity, and Privacy.
All 5!
Describe the internal audit, who can perform it, and if it's required
Yes - it's required! It's a "pre-assessment" to ensure company is fully prepared for successful Stage 1 & 2 audits. Recommended to be completed by a third-party (Vanta can recommend partners), or can be performed by an internal employee as long as they are competent (IT and ISO knowledge) and independent (not the person building out their ISMS).
T/F: non-EU companies claiming they're GDPR compliant are required to have an EU-based representative.
True, and Vanta has a partner that can provide these at a discount.
Describe who needs to be FEDRAMP compliant.
Bonus: who needs to be CMMC compliant?
Describe the difference between security and compliance
Security refers to the systems and controls that a company implements to protect its assets/data, while Compliance refers to applying those systems/controls to meet the regulatory standards that a third-party has set forth as best practices or legal requirements