National Cyber Security Awareness Month: Attestations and Certifications
National Cyber Security Awareness Month (NCSAM) is a time to reflect on how each one of us can help our companies, employees and customers become more secure. Throughout October, security professionals and enthusiasts across the country are spreading knowledge and awareness. Trust is key to any transaction between a business and its customers or partners. Marketing and sales teams create and distribute white papers galore explaining the latest and the greatest in technological solutions. While these materials are often maligned, they provide great value that allows the sales team to put its best foot forward.
Building Trust During Cyber Security Awareness Month
Health care professionals advise us to conduct self-inspections of our bodies for changes or anomalies since we are clearly experts on our own being. During Cyber Security Awareness Month, security leaders should apply this principle to their IT environments. It is the chief trust officer’s (CTrO) job to build trust between the organization and its customers. An examination of the organization’s security posture can start the dialogue regarding this trust. Every company, big or small, has the ability to review its infrastructure, dependencies and processes according to the format of the Statement on Standards for Attestation Engagements (SSAE) No. 16, or SSAE-16, which replaced the SAS-70 in 2011.
The SSAE-16 is an attestation of the company’s health and well-being. The SSAE-16 is broken down into two types of Service Organization Control (SOC) reporting frameworks. The Type I report contains the description of its system and control design to meet a specific objective at a point in time (e.g., SOX compliance). The Type II report describes the system and controls that are designed to meet the control objectives over a period of time (e.g., the next year of operation). The criteria of the SOC-1 look remarkably similar to those of the SAS-70. The SOC-2 criteria are based on the availability of services. Apropos of Cyber Security Awareness Month, the SOC-2 focuses on trust. This encompasses security, availability, processing, confidentiality and privacy, and it covers the various categories of policies, procedures, monitoring and communication. Whereas the SOC-1 and SOC-2 are largely internal documents that would be shared only under the protection of a nondisclosure agreement, an SOC-3 report is designed to be public-facing. It contains a report on whether the system can be trusted, based on the audit of the SOC-1 and SOC-2.
The International Service Organization (ISO) 27001 standards are similar, but more complex. ISO 27001 certification speaks volumes to customers. IBM’s MaaS360, for example, recently achieved ISO 27001 certification. ISO 27001 focuses specifically on information security management systems (ISMS). This includes people, processes and IT systems. Security leaders should review the ISO 27001, locate specifications that immediately apply and conduct a self-examination with regard to achieving the described criteria. This self-examination is an excellent second step toward identifying the low-hanging fruit and determining whether outside advisers or auditors are needed to prepare for formal ISO 27001 certification. As noted in the MaaS360 certification announcement, the ISO 27001 certification consists of 14 control categories with 114 separate controls, which focus on:
- Asset management;
- Access control;
- Operational security;
- System development; and
Implementation and Certification
Members of the Information Systems Audit and Control Association (ISACA) are often called upon to assist with SSAE-16 and ISO 27001 preparation. The nonprofit organization provides guidance on implementation and measurement of the ISO 27001 controls since the certification requires dynamic and ongoing monitoring of all systems. According to the ISACA, “implementation costs are driven by the perception of risk and how much risk an organization is prepared to accept.” It identifies four key areas of cost associated with implementation of ISO 27001:
- Internal resources;
- External resources;
- Certification; and
Cyber Security Awareness Month reminds us to collectively re-evaluate our current stance on security. We all wish to garner the trust of our customers, clients and partners. Attestations like the SSAE-16 and certifications such as the ISO 27001 go a long way in helping an organization gain that trust. Security leaders should invest resources in documenting security, and they shouldn’t wait until the next National Cyber Security Awareness Month to get started.