October 7, 2016 By Christopher Burgess 3 min read

National Cyber Security Awareness Month (NCSAM) is a time to reflect on how each one of us can help our companies, employees and customers become more secure. Throughout October, security professionals and enthusiasts across the country are spreading knowledge and awareness. Trust is key to any transaction between a business and its customers or partners. Marketing and sales teams create and distribute white papers galore explaining the latest and the greatest in technological solutions. While these materials are often maligned, they provide great value that allows the sales team to put its best foot forward.

Building Trust During Cyber Security Awareness Month

Health care professionals advise us to conduct self-inspections of our bodies for changes or anomalies since we are clearly experts on our own being. During Cyber Security Awareness Month, security leaders should apply this principle to their IT environments. It is the chief trust officer’s (CTrO) job to build trust between the organization and its customers. An examination of the organization’s security posture can start the dialogue regarding this trust. Every company, big or small, has the ability to review its infrastructure, dependencies and processes according to the format of the Statement on Standards for Attestation Engagements (SSAE) No. 16, or SSAE-16, which replaced the SAS-70 in 2011.

SSAE-16

The SSAE-16 is an attestation of the company’s health and well-being. The SSAE-16 is broken down into two types of Service Organization Control (SOC) reporting frameworks. The Type I report contains the description of its system and control design to meet a specific objective at a point in time (e.g., SOX compliance). The Type II report describes the system and controls that are designed to meet the control objectives over a period of time (e.g., the next year of operation). The criteria of the SOC-1 look remarkably similar to those of the SAS-70. The SOC-2 criteria are based on the availability of services. Apropos of Cyber Security Awareness Month, the SOC-2 focuses on trust. This encompasses security, availability, processing, confidentiality and privacy, and it covers the various categories of policies, procedures, monitoring and communication. Whereas the SOC-1 and SOC-2 are largely internal documents that would be shared only under the protection of a nondisclosure agreement, an SOC-3 report is designed to be public-facing. It contains a report on whether the system can be trusted, based on the audit of the SOC-1 and SOC-2.

ISO 27001

The International Service Organization (ISO) 27001 standards are similar, but more complex. ISO 27001 certification speaks volumes to customers. IBM’s MaaS360, for example, recently achieved ISO 27001 certification. ISO 27001 focuses specifically on information security management systems (ISMS). This includes people, processes and IT systems. Security leaders should review the ISO 27001, locate specifications that immediately apply and conduct a self-examination with regard to achieving the described criteria. This self-examination is an excellent second step toward identifying the low-hanging fruit and determining whether outside advisers or auditors are needed to prepare for formal ISO 27001 certification. As noted in the MaaS360 certification announcement, the ISO 27001 certification consists of 14 control categories with 114 separate controls, which focus on:

  • Asset management;
  • Access control;
  • Cryptography;
  • Operational security;
  • System development; and
  • Maintenance.

Implementation and Certification

Members of the Information Systems Audit and Control Association (ISACA) are often called upon to assist with SSAE-16 and ISO 27001 preparation. The nonprofit organization provides guidance on implementation and measurement of the ISO 27001 controls since the certification requires dynamic and ongoing monitoring of all systems. According to the ISACA, “implementation costs are driven by the perception of risk and how much risk an organization is prepared to accept.” It identifies four key areas of cost associated with implementation of ISO 27001:

  • Internal resources;
  • External resources;
  • Certification; and
  • Implementation.

Cyber Security Awareness Month reminds us to collectively re-evaluate our current stance on security. We all wish to garner the trust of our customers, clients and partners. Attestations like the SSAE-16 and certifications such as the ISO 27001 go a long way in helping an organization gain that trust. Security leaders should invest resources in documenting security, and they shouldn’t wait until the next National Cyber Security Awareness Month to get started.

More from Risk Management

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today