what they are, why they matter, and which ones to look for in your provider.
years ago, it was common to evaluate a potential IT or hosting vendor with a
series of pointed questions in an Excel spreadsheet. At first, the questions
were simple and few, but over the years, these “security questionnaires” have
expanded to hundreds of questions covering everything from proximity to flood
zones to the level of encryption on a hard drive.
IT procurement teams now have difficulty asking the right
questions to shine a light on policies that govern their sensitive data and, perhaps
more importantly, verify the accuracy and ongoing adherence to those policies.
In fact, this
process has become so tedious and daunting for both sides, that everyone is looking
for a way out. The solution, of course, is to settle on the exact standards
that buyers are looking for and have third-party audits to ensure that the standards are actually in
place. Verifying standards can become complex for the buyer, but it’s doable if
you know what to look for and what to ask.
The following is a guide for using these
standards when evaluating vendors. To help organize, we broke it up into three
sections: organizational certifications, compliance, and individual certifications.
Privacy & Security Certifications
For the reasons stated above, it’s important to
understand what each set of standards actually does (and does not) say about
the security posture of the provider. Some certifications aren’t nearly as
impressive as they may sound but the below are solid certifications proving an
organization’s level of security.
(International Organization for Standardization)
standards were born out
of the question, “what’s the best way of doing things?” They
are created and agreed
upon by independent subject matter experts all across the world. There are ISO standards for all
sorts of things, like making sure kid’s toys don’t have sharp edges (ISO
8124-1) and reducing environmental impacts (ISO 14000), but for our purposes
here, we’ll focus on those applying directly to data security and privacy.
All ISO certifications run on a three-year renewal cycle, so the organization needs to be audited again for their cert to stay valid. In the first year, ISO experts work with the organization to audit the controls (or “requirements”) listed in the specific certification. The second and third years include what’s called a “surveillance audit,” where ISO monitors the security controls put in place to ensure they’re being followed and carried out correctly. Overall, the goal here for the organization is continuous improvement.
- ISO 27001 –The organization has put in
the work to implement a comprehensive “Information Security Management System”
or ISMS. It focuses on protecting your information’s confidentiality,
integrity, and availability. Basically, ensuring that only authorized persons
have access to your information, are able to make changes to the information,
and can access the information any time it’s needed.
- ISO 27017 –Specific to cloud service
providers. ISO 27017 adds cloud-specific security controls to the baseline set
by ISO 27001, covering security techniques, risk management, access management,
- ISO 27018 – When it comes to personal
information stored in the cloud, extra precautions to protect it should be in
place. That’s what ISO 27018 is: additional controls to protect PII in cloud
environments. It ensures the provider has identified potential risks and has
measures in place to manage or reduce them.
- ISO 22301 – Not only does this cert make an organization prove they have a
business continuity plan in place, but that it also has the appropriate security
measures built into it. The ISO 22301 certifies that the organization’s
business continuity plan has been evaluated thoroughly and works effectively.
are working quietly in the background of our lives, making things safer,
better, and more effective. When things don’t work as they should, it often
means that the standards are absent.
Ask the scope of the provider’s certifications. Sometimes, the cert covers only a portion of the business (company data vs. client data, etc.) instead of everything they touch. Look for “all services provided by ISO partners,” because it’s demonstrable evidence that the entire business is certified, not just a portion of it.
SOC (Systems and Organization Controls)
SOC was created by the AICPA (American Institute of Certified Public Accountants) which represents the CPA profession nationally regarding rule-making and standard-setting. The certification examines controls to ensure “Trust Services Criteria,” or privacy, confidentiality, processing integrity, availability, and security. There are different levels and types of SOC, each for different purposes and different kinds of organizations.
- SOC 1 (Internal Control over Financial Reporting) – Provides guidance for auditors assessing financial statement controls at service organizations.
- SOC 2 (Trust Services Criteria) – Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 details the descriptions of the service auditor’s tests of controls and results.
- SOC 3 (Trust Services Criteria for General Use) – Essentially the same as SOC 2 but doesn’t include descriptions of the tests or results and is much less detailed.
- Type I: confirms that the controls exist.
- Type II: confirms that the controls exist and that they actually work.
audit process depends on which SOC you go for, but generally lasts six to
twelve weeks and is carried out by an accredited, independent third party hired
by the AICPA. Over the review period, the third-party auditor works with the
business to assess their controls, while the business works exhaustively to get
their controls up to SOC-status.
SOC 2 Type II is the most important report an
IT vendor can hold. It guarantees they’re annually meeting (or exceeding) SOC’s
industry-specific standards for privacy and security. Ask to see their SOC audit
report so you know where they fell short and if they’ve since remedied those
(Federal Risk and Authorization Management Program)
FedRAMP is one of the most rigorous certifications in the
world. It’s the US government’s standardized approach to security assessment,
authorization, and continuous monitoring for cloud products and services. It is
governed by different Executive Branch entities like the Joint Authorization
Board and Department of Defense.
There are three main parts to the FedRAMP process:
- A RAR (Readiness Assessment Report) is done by a third-party auditing organization that reviews the provider’s standards.
- If their standards meet the requirements, the third-party auditing body then submits the RAR report to FedRAMP for review and consideration. If that’s successful, the organization is then declared “FedRAMP-ready.” This places the organization inside a Federal Marketplace.
- Any federal organization can select the provider from the Marketplace directory and then must hold a SAR (security assessment report) to ensure the provider meets the federal agency’s specific security needs. If they do, the federal organization gives the provider “Authority to Operate,” which means they have the ability and permission to work only with that specific federal organization.
Obviously, becoming a FedRAMP-authorized provider is not for the faint-hearted; the level of security required is mandated by the Federal Government. So, any provider with this authorization is solid—they’ve gained the approval and trust of the US Federal Government!
is different from any kind of certification because it’s required by law. Failing to meet compliance requirements can
land organizations with serious fines or even jail time.
Mostly, self-attestation is all that’s required here. There’s no auditing by third parties—only internal review and evidence gathering.
- HIPAA (Health Insurance Portability and Accountability Act) – HIPAA is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities, doctors’ offices, hospitals, health insurers, and other healthcare companies with access to patients’ protected health information (PHI), as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf.
- ITAR (International Traffic in Arms Regulations) – ITAR is a set of regulations ensuring the protection of government defense data, including articles and services on the United States Munitions List (USML) and all related technical data. This is required for any provider or subcontractor handling defense data.
- PCI/DSS (Payment Card Industry/Data Security Standard) – Being PCI compliant means the organization follows all standards to safely and securely accept, store, and process cardholder data used in credit card transactions to prevent fraud and reduce the volume and impact of data breaches. Providers will usually have an official certification of their PCI compliance granted by the PCI Security Standards Council.
Ask how they keep track of the controls and
processes in place for meeting compliance regulations. This ensures they are
maintaining compliance standards and tracking all updates to their
system—which any smart provider will keep in well-maintained logs.
Just like organizational certifications prove
a system has met certain standards, individual certifications do the
same on a per-person level. They guarantee certain people on the team
have tested, specific, and unique knowledge and experience to guide and add
value to the organization and its clients. There are tons of individual
certifications available out there, but the below certs are the most common and
trusted by experts in the tech world.
- CISA (Certified Information Systems Auditor) – CISA is the world-renowned standard for IS professionals managed by ISACA, an international membership community started in 1967 to provide guidance and research in the IT field. CISA proves expertise in auditing, controlling, monitoring, and assessing information systems. This is an essential certification for any IT/IS professional.
- CISM (Certified Information Security Manager) – Similar to CISA. Indicates expertise in information security governance, program development and management, incident management, and risk management.
- CISSP (Certified Information Systems Security Professional) – Managed by (ISC)², is an international nonprofit membership association. CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization. Receiving a CISSP requires a combination of exams and five years of cumulative paid work experience in related fields.
- MCSE (Microsoft Certified Software Engineer) Core Infrastructure – MCSE validates that you have the skills needed to run a highly efficient and modern data center, identity management, systems management, virtualization, storage, and networking. To achieve the cert, you have to take multiple courses (held by Microsoft) on subjects like Windows servers, infrastructure, hybrid cloud, etc., and then pass three exams. Getting most Microsoft certifications takes time, money, and effort, but definitely proves you’ve got the right skills.
There are thousands of individual
certifications available in the market. Again, finding which are important to
you and your organization depends on what kinds of technology you work with:
Linux, Windows, VMware, etc. Seek out organizations with people on staff who
hold certifications related to your technology and goals.
Most Valuable Question to Ask
You may be asking, ‘How do big companies
with all the right certs get hacked?’ It’s a fair question, and the answer
is that nothing can guarantee safety from the possibility of human error, which
causes approximately 90% of all security incidents. Most of the “big hacks” we hear
about these days start with simple social engineering tactics (phishing, USB
drops, tailgating, etc.) and then advance in severity from there. These can
only be avoided when companies are providing employees with regular, effective,
and engaging security education.
Find out how the
provider educates its employees on security and privacy safety. Always, always
understand the level of education that a company provides to its employees and
what that training program includes.
education is key: without it, it really doesn’t matter what
certifications the organization has earned. They can all be brought down in a
single moment of human error. While all security-based standards require (and
will be audited for) employee security education and awareness, the auditor
isn’t responsible for grading the quality or frequency of the training. That’s
just another aspect for you to verify by asking the right questions.
Although concerns about data security and
privacy are nothing new, the process for evaluating IT service providers has
evolved significantly over the last five years to meet the challenges posed by
modern threats. Certifications minimize the work involved in the procurement
process, but they don’t remove it. The remaining responsibility falls on the
buyer to understand the standards and ask questions to make sure their privacy
and security needs are truly covered.