October 7, 2016 By Christopher Burgess 3 min read

National Cyber Security Awareness Month (NCSAM) is a time to reflect on how each one of us can help our companies, employees and customers become more secure. Throughout October, security professionals and enthusiasts across the country are spreading knowledge and awareness. Trust is key to any transaction between a business and its customers or partners. Marketing and sales teams create and distribute white papers galore explaining the latest and the greatest in technological solutions. While these materials are often maligned, they provide great value that allows the sales team to put its best foot forward.

Building Trust During Cyber Security Awareness Month

Health care professionals advise us to conduct self-inspections of our bodies for changes or anomalies since we are clearly experts on our own being. During Cyber Security Awareness Month, security leaders should apply this principle to their IT environments. It is the chief trust officer’s (CTrO) job to build trust between the organization and its customers. An examination of the organization’s security posture can start the dialogue regarding this trust. Every company, big or small, has the ability to review its infrastructure, dependencies and processes according to the format of the Statement on Standards for Attestation Engagements (SSAE) No. 16, or SSAE-16, which replaced the SAS-70 in 2011.

SSAE-16

The SSAE-16 is an attestation of the company’s health and well-being. The SSAE-16 is broken down into two types of Service Organization Control (SOC) reporting frameworks. The Type I report contains the description of its system and control design to meet a specific objective at a point in time (e.g., SOX compliance). The Type II report describes the system and controls that are designed to meet the control objectives over a period of time (e.g., the next year of operation). The criteria of the SOC-1 look remarkably similar to those of the SAS-70. The SOC-2 criteria are based on the availability of services. Apropos of Cyber Security Awareness Month, the SOC-2 focuses on trust. This encompasses security, availability, processing, confidentiality and privacy, and it covers the various categories of policies, procedures, monitoring and communication. Whereas the SOC-1 and SOC-2 are largely internal documents that would be shared only under the protection of a nondisclosure agreement, an SOC-3 report is designed to be public-facing. It contains a report on whether the system can be trusted, based on the audit of the SOC-1 and SOC-2.

ISO 27001

The International Service Organization (ISO) 27001 standards are similar, but more complex. ISO 27001 certification speaks volumes to customers. IBM’s MaaS360, for example, recently achieved ISO 27001 certification. ISO 27001 focuses specifically on information security management systems (ISMS). This includes people, processes and IT systems. Security leaders should review the ISO 27001, locate specifications that immediately apply and conduct a self-examination with regard to achieving the described criteria. This self-examination is an excellent second step toward identifying the low-hanging fruit and determining whether outside advisers or auditors are needed to prepare for formal ISO 27001 certification. As noted in the MaaS360 certification announcement, the ISO 27001 certification consists of 14 control categories with 114 separate controls, which focus on:

  • Asset management;
  • Access control;
  • Cryptography;
  • Operational security;
  • System development; and
  • Maintenance.

Implementation and Certification

Members of the Information Systems Audit and Control Association (ISACA) are often called upon to assist with SSAE-16 and ISO 27001 preparation. The nonprofit organization provides guidance on implementation and measurement of the ISO 27001 controls since the certification requires dynamic and ongoing monitoring of all systems. According to the ISACA, “implementation costs are driven by the perception of risk and how much risk an organization is prepared to accept.” It identifies four key areas of cost associated with implementation of ISO 27001:

  • Internal resources;
  • External resources;
  • Certification; and
  • Implementation.

Cyber Security Awareness Month reminds us to collectively re-evaluate our current stance on security. We all wish to garner the trust of our customers, clients and partners. Attestations like the SSAE-16 and certifications such as the ISO 27001 go a long way in helping an organization gain that trust. Security leaders should invest resources in documenting security, and they shouldn’t wait until the next National Cyber Security Awareness Month to get started.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today