Light Dark
October 7, 2016 By Christopher Burgess 3 min read
Risk Management

National Cyber Security Awareness Month (NCSAM) is a time to reflect on how each one of us can help our companies, employees and customers become more secure. Throughout October, security professionals and enthusiasts across the country are spreading knowledge and awareness. Trust is key to any transaction between a business and its customers or partners. Marketing and sales teams create and distribute white papers galore explaining the latest and the greatest in technological solutions. While these materials are often maligned, they provide great value that allows the sales team to put its best foot forward.

Building Trust During Cyber Security Awareness Month

Health care professionals advise us to conduct self-inspections of our bodies for changes or anomalies since we are clearly experts on our own being. During Cyber Security Awareness Month, security leaders should apply this principle to their IT environments. It is the chief trust officer’s (CTrO) job to build trust between the organization and its customers. An examination of the organization’s security posture can start the dialogue regarding this trust. Every company, big or small, has the ability to review its infrastructure, dependencies and processes according to the format of the Statement on Standards for Attestation Engagements (SSAE) No. 16, or SSAE-16, which replaced the SAS-70 in 2011.

SSAE-16

The SSAE-16 is an attestation of the company’s health and well-being. The SSAE-16 is broken down into two types of Service Organization Control (SOC) reporting frameworks. The Type I report contains the description of its system and control design to meet a specific objective at a point in time (e.g., SOX compliance). The Type II report describes the system and controls that are designed to meet the control objectives over a period of time (e.g., the next year of operation). The criteria of the SOC-1 look remarkably similar to those of the SAS-70. The SOC-2 criteria are based on the availability of services. Apropos of Cyber Security Awareness Month, the SOC-2 focuses on trust. This encompasses security, availability, processing, confidentiality and privacy, and it covers the various categories of policies, procedures, monitoring and communication. Whereas the SOC-1 and SOC-2 are largely internal documents that would be shared only under the protection of a nondisclosure agreement, an SOC-3 report is designed to be public-facing. It contains a report on whether the system can be trusted, based on the audit of the SOC-1 and SOC-2.

ISO 27001

The International Service Organization (ISO) 27001 standards are similar, but more complex. ISO 27001 certification speaks volumes to customers. IBM’s MaaS360, for example, recently achieved ISO 27001 certification. ISO 27001 focuses specifically on information security management systems (ISMS). This includes people, processes and IT systems. Security leaders should review the ISO 27001, locate specifications that immediately apply and conduct a self-examination with regard to achieving the described criteria. This self-examination is an excellent second step toward identifying the low-hanging fruit and determining whether outside advisers or auditors are needed to prepare for formal ISO 27001 certification. As noted in the MaaS360 certification announcement, the ISO 27001 certification consists of 14 control categories with 114 separate controls, which focus on:

  • Asset management;
  • Access control;
  • Cryptography;
  • Operational security;
  • System development; and
  • Maintenance.

Implementation and Certification

Members of the Information Systems Audit and Control Association (ISACA) are often called upon to assist with SSAE-16 and ISO 27001 preparation. The nonprofit organization provides guidance on implementation and measurement of the ISO 27001 controls since the certification requires dynamic and ongoing monitoring of all systems. According to the ISACA, “implementation costs are driven by the perception of risk and how much risk an organization is prepared to accept.” It identifies four key areas of cost associated with implementation of ISO 27001:

  • Internal resources;
  • External resources;
  • Certification; and
  • Implementation.

Cyber Security Awareness Month reminds us to collectively re-evaluate our current stance on security. We all wish to garner the trust of our customers, clients and partners. Attestations like the SSAE-16 and certifications such as the ISO 27001 go a long way in helping an organization gain that trust. Security leaders should invest resources in documenting security, and they shouldn’t wait until the next National Cyber Security Awareness Month to get started.

 |  | 
Christopher Burgess
CEO at Prevendra

More from Risk Management
April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

April 11, 2024

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature