Defining Scope: Boundaries, Tools & Setup
      Back to home
      1. Trustero Support
      2. Phase 1: Define Audit Scope & Risk Profile
      3. Defining Scope: Boundaries, Tools & Setup

      Guide to Selecting Security and Compliance Tools

      A guide for choosing the most appropriate tools per category for your specific security and compliance needs

      Introduction

      This straightforward guide helps you improve your security measures and meet compliance requirements. It organizes tools across different areas, such as HR processes, laptop protection, and security and monitoring tools.

      This guide will enhance security in daily operations, making sure compliance efforts are focused and effective. By using this matrix, companies can decide on the most appropriate tools for their specific security and compliance needs, creating a more secure and compliant environment. It also will help you prepare for audits.

      However, it is important to understand that this matrix is not exhaustive. It provides examples and suggestions from the evolving landscape of available solutions, offering a foundation for a secure and compliant Information Security Program.

      Use this guide to accurately complete your Trustero “Scope” page, which allows for tracking and documenting selected tools. This ensures the scoping page remains a valuable resource, reflecting the ongoing changes in the security environment and aligning with current security practices.

      Tools that support the People Team

      This section lists tools that help companies follow HR security policies and protect employee information, with an emphasis on preparing for audits and securing information. It covers systems for managing HR processes related to information security, including training your staff on security awareness. 

      Service

      Definition

      Example Tools

      HRIS (Human Resource Information/Management System)

      Manages HR processes, including payroll, benefits, and employee data, crucial for audit compliance and data integrity

      BambooHR, TriNet 

      Employee Performance Management

      Manages employee performance evaluations, critical for ensuring compliance with performance management standards and identifying training needs

      TriNet Perform

      ATS (Applicant Tracking System)

      Tracks and records recruitment process, from posting jobs to hiring, essential for maintaining data on recruitment processes

      Greenhouse, Lever, Recruitee

      Background Checks

      Tracks and records background checks submissions and completion, including criminal records and employment history

      AssureHire, Certn, Checkr, Deel, Paycom, VerificationX, Zinc

      Security Awareness Training 

      Programs aimed at educating employees on information security, necessary for mitigating risks and ensuring adherence to security policies and regulations

      Huntress (FKA Curricula), KnowBe4, Right-Hand, Skilljar, Wizer

      Identity and Access Management & Physical Asset Protection 

      This section focuses on tools for securing digital identities and physical devices like laptops and mobile phones. It is important for preventing unauthorized access and ensuring that devices are protected. It highlights solutions for controlling access to sensitive systems and data, and for keeping devices safe from security threats.

      Service

      Definition

      Example Tools

      MDM (Mobile Device Management) 

      Solutions that enforce encryption, malware protection, security updates, and enable remote wipe capabilities

      Azure Intune, Jamf, Miradore

      Identity and Access Management (IAM) Solutions

      Software to protect systems from unauthorized access or misuse by only allowing authenticated, authorized users (based on job roles) access to specific, protected company systems and data

      Cisco, Duo,Google Workspace IAM, JumpCloud, Microsoft (Azure) Entra ID, Okta, OneLogin

      Employee “Everyday Operational Systems”

      This segment looks at the tools employees use daily, such as applications for business, communication, internal documentation, customer support, and code management. It shows the role these tools play in making work processes efficient, supporting teamwork, and ensuring secure and effective communication. This information helps companies secure these systems and boost productivity.

      Service

      Definition

      Example Tools

      Business Productivity and Collaboration Suite

      Central platforms for document creation, collaboration, and productivity

      Google Workspace, Microsoft 365

      Internal Security Event and Incident Management Communication 

      Tools for real-time internal messaging and monitoring alerts from automated scanning technologies (e.g., vulnerabilities, application errors and crashes, security events) 

      Slack, Teams (MicroSoft) 

      Internal Wiki/Intranet

      Platforms for internal knowledge sharing and documentation (e.g., posting policies, plans and procedures)

      Azure DevOps Wiki, Confluence, Notion, Teams (MicroSoft) 

      Customer Support Management

      Systems for managing customer inquiries and support tickets

      HubSpot, Zendesk, Jira Service Management

      Internal Ticketing System

      Tools for tracking internal tasks and projects (e.g., software development, change management, access requests and removals)

      Azure DevOps, Jira Software

      Code Repository

      Services for code storage and version control

      GitHub, GitLab

      Incident Management and External Communication

      Manages and communicates externally during and after incidents.

      Opsgenie (on call and alert management), Statuspage (incident communication tool)

      Security & Monitoring Tools per Cloud Hosting Provider

      Aimed at security and monitoring tools offered by cloud providers like AWS, Azure, and GCP, this section is crucial for businesses using cloud services. It includes information on tools for detecting vulnerabilities, monitoring systems, managing configurations, and responding to security incidents. This guide helps businesses choose the right tools for protecting their cloud-based operations and handling security issues properly.

      Service

      Definition

      AWS

      Azure

      GCP

      Application Monitoring - Errors and Crashes

      Monitors application performance and tracks errors and crashes.

      AWS CloudWatch, Datadog

      Azure Application Insights

      Google Clouds Operations Suite

      Cloud Infrastructure Vulnerability Scanning

      Scans for security vulnerabilities in the infrastructure.

      AWS Inspector

      Azure Security Center

      Google Cloud Security Command Center

      Threat Detection

      Identifies potential threats to cloud environments and provides alerts.

      AWS GuardDuty

      Azure Sentinel

      Event Threat Detection (Security Command Center Premium Tier)

      Admin Activity Logging, Monitoring & Alerting

      Tracks administrative actions and provides alerts on significant events.

      AWS CloudTrail

      Azure Monitor, Azure Log Analytics

      Google Clouds Operations Suite (formerly Stackdriver)

      Capacity Monitoring & Management

      Monitors resource utilization and manages capacity planning.

      AWS CloudWatch, Grafana

      Azure Monitor, Grafana

      Google Clouds Operations Suite, Grafana

      Configuration Management (baseline for setup)

      Manages and automates system configurations. Ex. Infrastructure as Code (IaC)

      AWS CloudFormation

      Azure Automation, Azure Policy

      Cloud Deployment Manager

      Configuration Management Monitoring (after setup)

      Monitors and reports on the state of system configurations

      AWS SecurityHub (SaaS SMB), AWS Config (mid-enterprise)

      Azure Policy

      Google Cloud Security Command Center

      Code Scanning (Dependency)

      Scans project dependencies for known vulnerabilities

      GitHub Dependabot, Snyk

      GitHub Advanced Security for Azure DevOps

      Artifact Registry - Artifact analysis and vulnerability scanning

      Code Scanning (SAST)

      Static application security testing to identify vulnerabilities, prior to pull requests (PRs) being merged

      Snyk, Semgrep, DeepSource, SonarQube

      Azure DevOps (with Snyk integration)

      Google Cloud Build (with third-party tools)

      Perimeter Security Firewall

      Defends the network border from unauthorized access.

      AWS WAF, AWS Shield

      Azure Firewall

      Google Cloud Armor

      Host-based Firewalls

      Provides firewall rules at the resource/instance level.

      AWS Security Groups

      Azure Firewall on Virtual Machines

      Google Compute Engine has built-in firewalls

      Public and Private Network Segmentation

      Defines and enforces isolation between public and private network areas in a cloud environment.

      AWS VPC

      Azure Virtual Network (VNet)

      Google Cloud VPC

      Network ACLs/Subnets (network segmentation)

      Allows or denies specific inbound or outbound traffic at the subnet level within  VPCs (virtual private cloud). 

      AWS Network Access Control List (NACL)

      Azure Network Security Groups (NSG)

      Google Cloud VPC Network