Continuum GRC Security

SaaS security at Continuum GRC is job one. All Continuum GRC, customers benefit from a data center and network architecture built to satisfy the requirements of the most security-sensitive organizations. Continuum GRC, cloud compliance enables our customers to understand the robust controls in place to maintain security and data protection in the cloud. As systems are built on top of AWS cloud and AWS GovCloud infrastructure, compliance responsibilities will be shared.

By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, Continuum GRC, compliance enablers build on traditional programs; helping customers to establish and operate in a Continuum GRC, security control environment.

Compliance

Continuum GRC, environments are continuously audited, with certifications and attestations from accreditation bodies across geographies and verticals. In the Continuum GRC environment, take advantage of automated tools for asset inventory, and privileged access reporting.

We use our own tools exclusively to manage our own compliance program internally. When National Security, cybersecurity, and your organization's competitive advantage is at risk, don't trust your data or success to anything less!

Audit and compliance modules for FedRAMP

FedRAMP Authorization

FedRAMP Authorized Moderate

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Continuum GRC is the only Risk Assessment and Management solution listed in the FedRAMP certified marketplace.

FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT. Continuum GRC created and manages a core set of processes to ensure effective, repeatable cloud security for the government.

Audit and compliance modules for StateRAMP

StateRAMP Authorized

StateRAMP Authorized Moderate

StateRAMP is a program that enables cloud services providers (CSPs) to meet and demonstrate the security requirements embedded with FISMA and the NIST publications so that a State, Local or Tribal Government Agency may outsource with the confidence that its cloud service provider is meeting those requirements. Continuum GRC is the only Risk Assessment and Management solution listed in the StateRAMP marketplace.

ISO 27001 Certification

Continuum GRC has been certified for compliance with ISO/IEC 27001 that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organizations, regardless of type, size or nature. These certifications are performed by independent third-party auditors. Our compliance with this internationally-recognized standard and code of practice is evidence of our commitment to information security at every level of our organization, and that the Continuum GRC security program is in accordance with industry leading best practices.

ISO 27017 Certification

Continuum GRC has been certified for compliance with ISO/IEC 27017 that gives guidelines for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002 and additional controls with implementation guidance that specifically relate to cloud services. ISO/IEC 27017 provides controls and implementation guidance for both cloud service providers and cloud service customers. These certifications are performed by independent third-party auditors. Our compliance with this internationally-recognized standard and code of practice is evidence of our commitment to information security at every level of our organization, and that the Continuum GRC security program is in accordance with industry leading best practices.

ISO 27018 Certification

Continuum GRC has been certified for compliance with ISO/IEC 27018 that establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, ISO/IEC 27018 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services. ISO/IEC 27018 is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations. These certifications are performed by independent third-party auditors. Our compliance with this internationally-recognized standard and code of practice is evidence of our commitment to information security at every level of our organization, and that the Continuum GRC security program is in accordance with industry leading best practices.

Audit and compliance modules for ISO 27701

ISO 27701 Certification

Continuum GRC has been certified for compliance with ISO/IEC 27701 that specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. ISO/IEC 27701 specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. ISO/IEC 27701 is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS. These certifications are performed by independent third-party auditors. Our compliance with this internationally-recognized standard and code of practice is evidence of our commitment to information security at every level of our organization, and that the Continuum GRC security program is in accordance with industry leading best practices.

SOC 2 Type 2 Attestation

Continuum GRC, publishes a Service Organization Controls 2 (SOC 2), Type II report. The SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as Continuum GRC.

Audit and compliance modules for PCI

PCI DSS Certification

Continuum GRC is certified under the Payment Card Industry (PCI) Data Security Standard (DSS). Customers can run Continuum GRC applications on our PCI-compliant technology environment for storing, processing, and transmitting credit card information in the cloud. The Continuum GRC PCI compliance package includes the Continuum GRC PCI SAQ-D Service Provider Attestation of Compliance (AoC), which shows that Continuum GRC has been successfully validated against standards applicable to a service provider under PCI DSS and the Continuum GRC PCI Responsibility Summary, which explains how compliance responsibilities are shared between Continuum GRC, AWS and our customers in the cloud.

Audit and compliance modules for HIPAA

HIPAA Attestation

Continuum GRC enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure Continuum GRC and AWS environment to process, maintain, and store protected health information. Additionally, Continuum GRC, as of December 2015, is able to sign business associate agreements (BAA) with such customers.

Contact Continuum GRC for Compliance Reports & Certifications

You can request the reports and certifications produced by our third-party auditors which attest to the design and operating effectiveness of the Continuum GRC environment. Report and certification requests can be made through a Continuum GRC account representative.

Security Benefits

As an AWS customer we inherit all the best practices of AWS policies, architecture, and operational processes built to satisfy the requirements of our most security sensitive customers. We get the flexibility and agility needed in security controls.